ESET researchers have uncovered a compromise of an East Asian data loss prevention (DLP) company. The attackers utilized at least three malware families during the intrusion, compromising both the internal update servers and third-party tools utilized by the company. This resulted in two of the company’s customers being subsequently compromised.
Illustration of the chain of compromise
ESET attributes the campaign with high confidence to the Tick APT group. Based on Tick’s profile, the objective of the attack was most likely cyber espionage. The customer portfolio of the DLP company includes government and military entities, making the compromised company an especially attractive target for an APT group such as Tick.
“The attackers compromised the DLP company’s internal update servers to deliver malware inside the software developer’s network, and trojanized installers of legitimate third-party tools used by the company, which eventually resulted in the execution of malware on the computers of its customers,” says ESET researcher Facundo Muñoz, who discovered Tick’s latest operation. “During the intrusion, the attackers deployed a previously undocumented downloader, which we’ve named ShadowPy, and also deployed the Netboy backdoor (aka Invader) as well as the Ghostdown downloader,” adds Muñoz.
The initial attack happened in March 2021, and ESET notified the company of the compromise. In 2022, ESET telemetry registered the execution of malicious code in the networks of two of the compromised company’s customers. Since trojanized installers were transferred via remote support software, ESET Research hypothesizes that this took place while the DLP company was providing technical support.
The attackers also compromised two internal update servers, which delivered malicious updates for the software developed by this DLP company on two occasions to machines inside the network of the DLP company.
The previously undocumented downloader ShadowPy was developed in Python and is loaded through a customized version of the open-source project py2exe. ShadowPy contacts a remote server from where it receives new Python scripts that are decrypted and executed. The older Netboy backdoor supports 34 commands, including collecting system information, deleting a file downloading and executing programs, performing screen capture, and performing mouse and keyboard events requested by its controller.
Tick (also known as BRONZE BUTLER or REDBALDKNIGHT) is an APT group thought to have been active since at least 2006 and that mainly targets countries in the APAC region. This group is of interest for its cyberespionage operations, which focus on stealing classified information and intellectual property. Tick employs an exclusive custom malware toolset designed for persistent access to compromised machines, reconnaissance, data exfiltration, and download of tools.