Data loss prevention company hacked by Tick cyberespionage group
ESET researchers have uncovered a compromise from an East Asian data loss prevention (DLP) company. The attackers used at least three malware families during the intrusion, compromising both the internal update servers and third-party tools used by the company. This led to two of the company’s customers later being compromised.
Illustration of the compromise chain
ESET attributes the campaign with high confidence to the Tick APT group. Based on Tick’s profile, the goal of the attack was most likely cyber espionage. The customer portfolio of the DLP company includes government and military entities, making the compromised company a particularly attractive target for an APT group like Tick.
“The attackers compromised the DLP company’s internal update servers to deliver malware inside the software developer’s network, and trojanized installers of legitimate third-party tools used by the company, ultimately resulting in the execution of malware on customers’ computers,” says ESET researcher Facundo Muñoz, who discovered Tick’s latest operation. “During the intrusion, the attackers deployed a previously undocumented downloader, which we have named ShadowPy, and also deployed the Netboy backdoor (aka Invader) as well as the Ghostdown downloader,” adds Muñoz.
The first attack occurred in March 2021, and ESET notified the company of the compromise. In 2022, ESET telemetry recorded the execution of malicious code in the networks of two of the compromised company’s customers. Since trojanized installers were transferred via remote support software, ESET Research assumes this took place while the DLP company was providing technical support.
The attackers also compromised two internal update servers, which delivered malicious updates for the software developed by this DLP company on two occasions to machines inside the DLP company’s network.
The previously undocumented downloader ShadowPy was developed in Python and loads through a custom version of the open source py2exe project. ShadowPy contacts a remote server from which it receives new Python scripts that are decrypted and executed. The older Netboy backdoor supports 34 commands, including gathering system information, deleting a file that downloads and runs programs, performing screen captures, and executing mouse and keyboard events requested by the controller.
Tick (also known as BRONZE BUTLER or REDBALDKNIGHT) is an APT group believed to have been active since at least 2006 and mainly targeting countries in the APAC region. This group is of interest for their cyberespionage operations, which focus on stealing classified information and intellectual property. Tick uses an exclusive custom malware toolset designed for persistent access to compromised machines, reconnaissance, data exfiltration, and tool downloads.