Data loss prevention company hacked by Tick cyberespionage group

Data loss prevention company hacked by Tick cyberespionage group

ESET researchers have uncovered a compromise from an East Asian data loss prevention (DLP) company. The attackers used at least three malware families during the intrusion, compromising both the internal update servers and third-party tools used by the company. This led to two of the company’s customers later being compromised.

data loss prevention hacked

Illustration of the compromise chain

ESET attributes the campaign with high confidence to the Tick APT group. Based on Tick’s profile, the goal of the attack was most likely cyber espionage. The customer portfolio of the DLP company includes government and military entities, making the compromised company a particularly attractive target for an APT group like Tick.

“The attackers compromised the DLP company’s internal update servers to deliver malware inside the software developer’s network, and trojanized installers of legitimate third-party tools used by the company, ultimately resulting in the execution of malware on customers’ computers,” says ESET researcher Facundo Muñoz, who discovered Tick’s latest operation. “During the intrusion, the attackers deployed a previously undocumented downloader, which we have named ShadowPy, and also deployed the Netboy backdoor (aka Invader) as well as the Ghostdown downloader,” adds Muñoz.

The first attack occurred in March 2021, and ESET notified the company of the compromise. In 2022, ESET telemetry recorded the execution of malicious code in the networks of two of the compromised company’s customers. Since trojanized installers were transferred via remote support software, ESET Research assumes this took place while the DLP company was providing technical support.

The attackers also compromised two internal update servers, which delivered malicious updates for the software developed by this DLP company on two occasions to machines inside the DLP company’s network.

See also  DraftKing's user details lose nearly thousands to hack

The previously undocumented downloader ShadowPy was developed in Python and loads through a custom version of the open source py2exe project. ShadowPy contacts a remote server from which it receives new Python scripts that are decrypted and executed. The older Netboy backdoor supports 34 commands, including gathering system information, deleting a file that downloads and runs programs, performing screen captures, and executing mouse and keyboard events requested by the controller.

Tick ​​(also known as BRONZE BUTLER or REDBALDKNIGHT) is an APT group believed to have been active since at least 2006 and mainly targeting countries in the APAC region. This group is of interest for their cyberespionage operations, which focus on stealing classified information and intellectual property. Tick ​​uses an exclusive custom malware toolset designed for persistent access to compromised machines, reconnaissance, data exfiltration, and tool downloads.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *