Threat Research

The slow Tick-ing time bomb: Tick APT group compromise of a DLP software developer in East Asia

Securonix

ESET linked a campaign to the Tick APT group targeting an East Asian data-loss prevention (DLP) software developer, where attackers trojanized installers and compromised update servers to spread malware to the company’s customers. The operation involved ShadowPy, Netboy (Invader), and Ghostdown, with ReVBShell used as a backdoor, and at least two customer networks were affected.
#ShadowPy #Netboy #Ghostdown #ReVBShell #QDir #Tick

Keypoints

  • ESET attributes the attack with high confidence to the Tick APT group, based on malware traits and campaign characteristics.
  • The compromise began in March 2021 in the network of an East Asian DLP software developer, leading to multiple malicious tool deployments.
  • Attackers trojanized installers of Q-Dir and deployed malicious updates via the developer’s internal update servers, enabling lateral movement and customer compromises.
  • Three malware families were used or dropped: ShadowPy (a previously undocumented downloader), Netboy (a backdoor/Invader), and Ghostdown, plus the ReVBShell backdoor via VBScript.
  • ShadowPy is a Python-based downloader with a custom py2exe loader and DLL side-loading, downloading and executing payloads from remote servers.
  • The DLP company’s customers, including government/military-aligned entities, were targets and two were compromised through trojanized installers.

MITRE Techniques

  • [T1195.002] Supply Chain Compromise – Compromise update servers delivering malicious updates. ‘The attackers compromised update servers, which delivered malicious updates on two occasions to machines inside the network.’
  • [T1199] Trusted Relationship – Trojanized installers used by the company to compromise customers. ‘The attackers trojanized installers of legitimate tools used by the company, which eventually resulted in the execution of malware on the computers of the company’s customers.’
  • [T1059.005] Command and Scripting Interpreter: Visual Basic – ReVBShell VBScript backdoor variant used by attackers. ‘The backdoor is written in VBScript and the controller code is written in Python.’
  • [T1059.006] Command and Scripting Interpreter: Python – ShadowPy downloader uses Python for its operations. ‘ShadowPy is a downloader developed in Python…’
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Loaders persist via Run keys. ‘Netboy and ShadowPy loaders persist via a Run key.’
  • [T1543.003] Create or Modify System Process: Windows Service – Loaders persist by creating a Windows service. ‘persist by creating a service.’
  • [T1574.002] Hijack Execution Flow: DLL Side-Loading – ShadowPy and Netboy loaders use DLL side-loading (vssapi.dll via avshadow.exe). ‘vssapi.dll being side-loaded by avshadow.exe.’
  • [T1036.004] Masquerading: Masquerade Task or Service – Loaders use legitimate service/description names. ‘loaders use legitimate service and description names when creating services.’
  • [T1027] Obfuscated Files or Information – Payloads and configuration are encrypted/obfuscated; overlays contain components. ‘encrypted in its overlay, three major components: the py2exe custom loader, the Python engine and the PYC code.’
  • [T1055.002] Process Injection: Portable Executable Injection – Loaders inject into svchost.exe. ‘injects a payload into a designated process (svchost.exe).’
  • [T1080] Taint Shared Content – Replaced legitimate applications used by technical support, enabling malware execution within the network. ‘Tick replaced legitimate applications used by technical support…’
  • [T1039] Data from Network Shared Drive – Netboy and ReVBShell collect data from network shares. ‘Data from Network Shared Drive’
  • [T1113] Screen Capture – Netboy can capture the screen. ‘Screen Capture’
  • [T1071.001] Web Protocols – HTTP C2 communications for ShadowPy and ReVBShell. ‘communication via HTTP protocol with their C&C server.’
  • [T1132.001] Data Encoding: Standard Encoding – Base64 encoding used in communications. ‘base64 to encode communication with their C&C servers.’
  • [T1573] Encrypted Channel – RC4 (Netboy) and AES (ShadowPy) used for encryption. ‘Netboy uses RC4. ShadowPy uses AES.’
  • [T1041] Exfiltration Over C2 Channel – Netboy and ReVBShell exfiltrate data over the C2 channel.
  • [T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage – Exfiltration via a web service. ‘Exfiltration to cloud storage.’

Indicators of Compromise

  • [File] 72BDDEAD9B508597B75C1EE8BE970A7CA8EB85DC – dwmapi.dll – Netboy.A
  • [File] 8BC1F41A4DDF5CFF599570ED6645B706881BEEED – vssapi.dll – ShadowPy.A
  • [File] 4300938A4FD4190A47EDD0D333E26C8FE2C7451E – N/A – TrojanDropper.Agent.FU (64-bit Trojanized Q-Dir installer A)
  • [File] B9675D0EFBC4AE92E02B3BFC8CA04B01F8877DB6 – N/A – TrojanDropper.Agent.FU (64-bit Trojanized Q-Dir installer B)
  • [File] F54F91D143399B3C9E9F7ABF0C90D60B42BF25C9 – N/A – TrojanDownloader.Agent.GBY (32-bit Trojanized Q-Dir installer)
  • [File] FE011D3BDF085B23E6723E8F84DD46BA63B2C700 – N/A – VBS/Agent.DL (ReVBShell version A)
  • [File] 02937E4A804F2944B065B843A31390FF958E2415 – N/A – VBS/Agent.DL (ReVBShell version B)
  • [IP] 115.144.69.108 – travelasist[.]com – ShadowPY C2 server
  • [IP] 110.10.16.56 – mssql.waterglue[.]org – Netboy C2 server
  • [IP] 103.127.124[.]117 – MOACK.Co.LTD – decryption key fetch
  • [IP] 103.127.124[.]119 – MOACK.Co.LTD – silentship[.]com (ReVBShell A server)
  • [IP] 103.127.124[.]76 – MOACK.Co.LTD – ReVBShell B server
  • [IP] 58.230.118[.]78 – SK Broadband Co Ltd – oracle.eneygylakes[.]com (Ghostdown server)
  • [IP] 192.185.89[.]178 – Network Solutions, LLC – 32-bit installer payload retrieval

Read more: https://www.welivesecurity.com/2023/03/14/slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia/