The hacked company has government and military entities among its customers. The attackers targeted internal servers and third-party tools used. Two customers were also damaged. A new downloader has been detected that ESET has named ShadowPy
ESET, a global leader in the cybersecurity market, has discovered the breach of a data-loss prevention (DLP) company located in East Asia. During the intrusion, the attackers distributed at least three types of malware and compromised internal update servers and third-party tools used by the victim. Following the breach, the servers of two of the company's customers were also compromised. ESET attributes the campaign to the APT Tick group. Based on the group's profile, it is assumed that the purpose of the attack was cyber espionage. The DLP company's client portfolio includes government and military bodies, making it attractive for an APT group like Tick.
“The attackers hacked into DLP company's internal update servers to distribute malware across the company's network and targeted installers of legitimate third-party tools used internally with Trojans, which ultimately led to malware execution on customers' computers,” he explains Facundo Muñoz, ESET researcher, who discovered Tick's latest operation. “During the intrusion, the attackers deployed a previously undocumented downloader, which we called ShadowPy, and also deployed the Netboy (aka Invader) backdoor and the Ghostdown downloader,” adds Muñoz.
The initial attack dates back to March 2021 and was immediately notified to the company by ESET. In 2022, vendor telemetry recorded the execution of malicious code on the networks of two customers of the compromised company. Since the Trojan-affected installers were transferred via remote assistance software, ESET speculates that the transmission occurred while the DLP company was providing technical support. The attackers also breached two internal update servers, which provided systems within the company's network with malicious updates to software developed by the company on two occasions.
The previously undocumented ShadowPy downloader was developed in Python and is loaded through a custom version of the open source project py2exe. ShadowPy contacts a remote server from which it receives new Python scripts that are decrypted and executed. The previous version of the Netboy backdoor supports 34 commands, including collecting system information, deleting files, downloading and running programs, taking screenshots, and mouse and keyboard commands.
Tick (also known as BRONZE BUTLER or REDBALDKNIGHT) is an APT group believed to have been active since at least 2006 and primarily targeting countries in the APAC region. This group is known for its cyber-espionage operations, which focus on the theft of confidential information and intellectual property. Tick employs a unique malware toolset designed for persistent access to compromised equipment, reconnaissance, data exfiltration, and tool downloading.
Further information regarding the techniques used in the latest Tick campaign is available in this article “The slow Tick-ing time bomb: Tick APT group compromise of a DLP software developer in East Asia” su WeLiveSecurity.
