A cyber espionage actor known as Tick has placed high credit in breaching data loss prevention (DLP) companies in East Asia targeting government and military organizations.
“Attackers have compromised a DLP company’s internal update servers to deliver malware within the software developer’s network, Trojanize the installers of legitimate tools used by the company, and ultimately to compromise the computers of the company’s customers. It ran malware,” said Facundo, an ESET researcher. Muñoz said.
Also known as Bronze Butler, Stalker Panda, REDBALDKNIGHT, and Stalker Taurus, Tick is a suspected Chinese group primarily targeting the Japanese government, manufacturing, and biotech companies. It is said to have been active since at least 2006.
Other lesser-known targets include companies in Russia, Singapore, and China. Attack chains orchestrated by this group typically utilize spear phishing emails and strategic web compromises as entry points.
In late February 2021, Tick emerged as one of the attackers, using a ProxyLogon flaw in Microsoft Exchange Server as a zero-day to plant a Delphi-based backdoor in a South Korean IT company.
Around the same time, the hostile group is believed to have gained access to the East Asian software development company’s network through unknown means. The company name was not disclosed.
Following this, a modified version of a legitimate application called Q-Dir was deployed, dropping an open-source VBScript backdoor named ReVBShell and a previously undocumented downloader named ShadowPy. rice field.
ShadowPy, as the name suggests, is a Python downloader that runs Python scripts retrieved from remote servers.
Delivered during the intrusion was a Delphi backdoor variant called Netboy (aka Invader or Kicksgo) with information gathering and reverse shell capabilities, and another downloader codenamed Ghostdown.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
“To maintain persistent access, attackers deployed malicious loader DLLs and legitimate signed applications vulnerable to DLL search order hijacking,” said Muñoz. . “The purpose of these DLLs is to decode and inject payloads into specified processes.”
Then, in February and June 2022, a trojanized Q-Dir installer infected two of the company’s customers, an engineering firm in East Asia and a manufacturing company, via remote support tools such as helpU and ANYSUPPORT. transferred to the company.
The Slovak cybersecurity firm said the aim here was not to carry out supply chain attacks against downstream customers, but that the rogue installer was used “unknowingly” as part of its technical support activities. rice field.
This incident may also be related to another unexplained cluster detailed by AhnLab in May 2022. This involved dropping a ReVBShell implant using a Microsoft Compiled HTML Help (.CHM) file.
