Tick APT Group Hacked East Asian DLP Software Firm

Written by

A new malware campaign targeting an East Asian company that develops data-loss prevention (DLP) software for government and military entities has been attributed to the advanced persistent threat (APT) group known as Tick.

According to an advisory published by ESET on Tuesday, the threat actor breached the DLP company’s internal update servers to deliver malware within its network. It then trojanized legitimate tool installers used by the firm, leading to malware being executed on two of its customers’ computers.

“During the intrusion, the attackers deployed a previously undocumented downloader named ShadowPy, and they also deployed the Netboy backdoor (aka Invader) and Ghostdown downloader,” wrote ESET malware researcher Facundo Muñoz.

The security expert added that Tick has reportedly been active since at least 2006, employing a unique custom malware toolset created for persistent access in compromised machines, as well as reconnaissance, data exfiltration and additional tool download.

Our latest report into Tick’s activity found it exploiting the ProxyLogon vulnerability to compromise a South Korean IT company, as one of the groups with access to that remote code execution exploit before the vulnerability was publicly disclosed,” Muñoz explained.

Read more on ProxyLogon here: Hackers Hide Malware in Windows Logo, Target Middle East Governments

However, the attack on the DLP company was spotted by ESET in March 2021. The hackers would have deployed malware that month, and weeks later began introducing trojanized copies of the Q-Dir installers.

The APT group then compromised the targeted company’s network in June and September 2021, transferring the trojanized Q-dir installers to customers of the compromised company in February and June 2022.

“Based on Tick’s profile and the compromised company’s high-value customer portfolio, the objective of the attack was most likely cyber espionage,” Muñoz wrote. 

How the DLP company was first compromised is currently unknown. Still, ESET hypothesized the firm’s customers were receiving technical support via a remote support application and the malicious installer was used unknowingly on customer machines.

“It is unlikely that the attackers installed support tools to transfer the trojanized installers themselves,” Muñoz added.

Tick is one of many ATP groups currently targeting Asia-based companies. The Check Point Research (CPR) team recently published an advisory detailing an espionage campaign expansion in the region by the threat actor known as Sharp Panda.

What’s hot on Infosecurity Magazine?