A new malware campaign targeting an East Asian company that develops data loss prevention (DLP) software for government and military agencies has been attributed to an advanced persistent threat (APT) group known as Tick.
According to an advisory issued by ESET on Tuesday, an attacker compromised the DLP company’s internal update server and delivered malware within the network. He then trojanized his installer, a legitimate tool used by the company, and ran the malware on two of the customer’s girlfriend’s computers.
“During the intrusion, the attacker deployed a previously undocumented downloader named ShadowPy, and also deployed the Netboy backdoor (aka Invader) and the Ghostdown downloader,” says Facundo, a malware researcher at ESET. Muñoz writes.
Security experts say Tick has been active since at least 2006 and uses its own custom malware toolset created for persistent access to compromised machines to reconnaissance, exfiltrate data, add I added that I am downloading the tools for
“The latest report on Tick’s activity found that Tick exploited the ProxyLogon vulnerability to compromise a South Korean IT company. It was one of the groups that had access to execute exploits,” explained Muñoz.
Read more about ProxyLogon: Hackers hide malware in Windows logo, target Middle Eastern governments
However, the attack on DLP was discovered by ESET in March 2021. The hacker deployed malware that month, and a few weeks later he began introducing a trojanized copy of the Q-Dir installer.
The APT group then compromised the targeted company’s networks in June and September 2021 and transferred the Trojanized Q-dir installer to the compromised company’s customers in February and June 2022. bottom.
“Based on Tick’s profile and the compromised company’s high-value customer portfolio, the purpose of the attack is most likely cyber espionage,” wrote Muñoz.
It is currently unknown how DLP was first compromised. Nonetheless, ESET hypothesized that its customers were receiving technical support via a remote support application, and malicious installers were being used on customer machines without their knowledge.
“It is unlikely that the attacker installed the support tool and transmitted the trojanized installer itself,” added Muñoz.
Tick is one of many ATP groups currently targeting companies based in Asia. The Check Point Research (CPR) team recently published an advisory detailing the growing espionage activity in the region by a threat actor known as Sharp Panda.
