Go to listing page

China-based Tick APT Deploys Custom Malware and Use Other Tools

China-based Tick APT Deploys Custom Malware and Use Other Tools
A China-linked APT group Tick, aka Bronze Butler, REDBALDKNIGHT, Stalker Panda, and Stalker Taurus, targeted an East Asian company that develops Data-Loss Prevention (DLP) software. The group compromised the company’s internal update servers and tools to deliver malware inside the company’s network.

Diving into details

In a recent report, ESET attributed the attack to the Tick group, stating that it exploited the ProxyLogon vulnerability to compromise a South Korean IT company in early 2021.
  • Around the same time, it gained access to the network of the East Asian software developer company through unknown means.
  • This attack impacted the DLP company, as well as its customer portfolio which includes government and military entities.
  • After gaining backdoor access, the adversary started deploying malware on several machines of the company.

Tick’s malware 

  • In April 2021, Tick used a tampered version of a legitimate app called Q-Dir to drop an open-source VBScript backdoor named ReVBShell and the legitimate copy of the app itself, into the network of the compromised company.
  • In June and September 2021, the DLP company’s software delivered malicious updates in the form of a  ZIP archive that contained a malicious executable file. A legitimate update agent from software deployed and executed the executable.
  • in February and June 2022, the trojanized Q-Dir installers were delivered via remote support tools, such as helpU and ANYSUPPORT, to the customers.

Additional tools

  • The group maintained persistent access by deploying malicious loader DLLs, along with legitimate signed applications vulnerable to DLL search order hijacking.
  • It utilized these DLLs to decode and inject a payload into a designated process. The payloads included a downloader named ShadowPy or a variant of Netboy, aka Invader or Kickesgo, or another downloader codenamed Ghostdown.

Wrapping up

Active since 2006, Tick has been mainly launching cyberespionage operations to steal classified information and intellectual property. The group compromised the DLP company in 2021, maintained persistence in its network, and executed malware on its customer companies as well. Its exclusive custom malware tools and capabilities highlight the threats it poses to organizations, especially in the APAC region.
Cyware Publisher