Chinese Tick Group Allegedly Linked to Attacks on Asian Companies’ Customers

Cyber-espionage APT group Tick compromised a Data Loss Prevention (DLP) company that serves government and military organizations in East Asia. This was stated by ESET specialists in his new report.

The attackers compromised the company’s internal update servers to deliver malware to the software developer’s network and trojanized legitimate tool installers used by the company, eventually leading to malware running on the company’s clients.

The Tick group (Bronze Butler, Stalker Panda, REDBALDKNIGHT and Stalker Taurus) is believed to be connected to China. The group mainly attacked state-owned, manufacturing and biotech firms in Japan, as well as Russian, Singaporean and Chinese companies. Tick ​​is believed to have been active since at least 2006.

The attack chains orchestrated by the group include phishing emails. At the end of February 2021, Tick became one of the attackers who exploited the vulnerabilities ProxyLogon in Microsoft Exchange Server to install a backdoor on a web server owned by a South Korean IT company.

Around the same time, Tick is believed to have gained access to the network of an East Asian software company through unknown means. The name of the company was not disclosed. This was followed by the deployment of a fake version of the legitimate file manager Q-Dir to deliver a backdoor called ReVBShell as well as the previously undocumented ShadowPy loader.

Also delivered during the invasion are variants of a backdoor called Netboy (aka Invader or Kickesgo), which can collect information from the system and create a reverse shell, as well as another Ghostdown loader.

To maintain persistent access, the hackers deployed malicious DLL loaders along with legitimate signed applications vulnerable to DLL search order hijacking (DLL Hijacking). The purpose of these DLLs is to decode and inject the payload into the designated process.

Subsequently, in February and June 2022, trojanized Q-Dir installers were delivered to target devices via remote support tools helpU and ANYSUPPORT to two clients of an engineering and manufacturing firm located in East Asia.

According to ESET experts, the goal of the campaign was not to compromise the supply chains of target firms, but to have a malicious installer “unknowingly” used as part of technical support activities.