CYBER SECURITY NEWS

ESET Research: Tick cyberespionage attack likely

ESET

ESET researchers uncovered an attack occurring in the network of an East Asian data-loss prevention company with a customer portfolio that includes government and military entities.

ESET researchers have uncovered a compromise of an East Asian data-loss prevention (DLP) company. During the intrusion, the attackers deployed at least three malware families and compromised internal update servers and third-party tools used by the affected company. As a result, two customers of the company were subsequently compromised. ESET attributes the campaign with high confidence to the Tick APT group. 

Based on Tick’s profile, the objective of the attack was most likely cyberespionage. The customer portfolio of the DLP company includes government and military entities, making the compromised company an especially attractive target for an APT group such as Tick. 

“The attackers compromised the DLP company’s internal update servers to deliver malware inside the software developer’s network, and trojanized installers of legitimate third-party tools used by the company, which eventually resulted in the execution of malware on the computers of its customers. During the intrusion, the attackers deployed a previously undocumented downloader, which we’ve named ShadowPy, and also deployed the Netboy backdoor (aka Invader) as well as the Ghostdown downloader,” adds Muñoz,” said Facundo Muñoz, Researcher, ESET who discovered Tick’s latest operation. 


The initial attack happened in March 2021, and ESET notified the company of the compromise. In 2022, ESET telemetry registered the execution of malicious code in the networks of two of the compromised company’s customers. Since trojanized installers were transferred via remote support software, ESET Research hypothesizes that this took place while the DLP company was providing technical support. The attackers also compromised two internal update servers, which delivered malicious updates for the software developed by this DLP company on two occasions to machines inside the network of the DLP company. 

The previously undocumented downloader ShadowPy was developed in Python and is loaded through a customized version of the open source project py2exe. ShadowPy contacts a remote server from where it receives new Python scripts that are decrypted and executed. The older Netboy backdoor supports 34 commands, including collecting system information, deleting a file, downloading and executing programs, performing screen capture, and performing mouse and keyboard events requested by its controller.

Tick (also known as BRONZE BUTLER or REDBALDKNIGHT) is an APT group thought to have been active since at least 2006 and that mainly targets countries in the APAC region. This group is of interest for its cyberespionage operations, which focus on stealing classified information and intellectual property. Tick employs an exclusive custom malware tool-set designed for persistent access to compromised machines, reconnaissance, data exfiltration, and download of tools.

Related posts

Redington Strengthened Partnership with Oracle

Channel 360 MEA

ManageEngine launches Identity360

Channel 360 MEA

Using QLC and all-flash arrays in data center modernization

Channel 360 MEA

Leave a Comment