top of page

A data leak prevention software publisher located in Asia victim of a compromise

  • ESET researchers have uncovered a successful attack that compromised the network of an East Asian company specializing in data leak prevention.

  • This publisher's client portfolio includes government and military entities.

  • ESET researchers attributed this attack to the Tick hacker group with near certainty.

  • The objective of the attack was most likely cyber espionage.

  • The attackers deployed at least three families of malware and compromised internal update servers as well as third-party tools used by the company.

  • As a result, two of their clients were compromised.

  • The investigation revealed the existence of a previously undocumented downloader, named ShadowPy by ESET.


Researchers from ESET, a European publisher of security solutions, have discovered that a company specializing in data leak protection (DLP) in East Asia is the victim of a computer intrusion. During the intrusion, the attackers deployed at least three families of malware and compromised internal update servers as well as third-party tools used by the company. As a result, two customers of the company were compromised. ESET attributed this campaign to the hacker group Tick with near certainty. According to Tick's profile, the objective of the attack is most likely cyber espionage. DLP's corporate client portfolio includes government and military entities, making it a particularly attractive target for a hacker group such as Tick.


"Attackers compromised the company's internal update servers and embedded Trojans in the installers of tools used by the company, which ultimately resulted in malware running on customers' computers," says Facundo Muñoz, the ESET researcher who discovered Tick's latest campaign. “During the intrusion, the attackers deployed a then unknown and undocumented downloader, which we dubbed ShadowPy, as well as the Netboy (aka Invader) backdoor and the Ghostdown downloader,” adds Muñoz.


The initial attack took place in March 2021, ESET informed the company. In 2022, ESET telemetry noted the execution of malware in the networks of two customers of the compromised company. Since the Trojan installers were transferred via remote support software, ESET Research assumes this happened when the DLP company was providing technical support. The attackers also broke into two internal update servers, which twice pushed malicious updates inside its network.


The undocumented ShadowPy downloader was developed in Python and is loaded using a custom version of the py2exe open source project. ShadowPy contacts a remote server from which it receives new Python scripts which are then decrypted and executed. The old Netboy backdoor supports 34 commands, including gathering system information, deleting a file, downloading and running programs, taking screenshots, and running apps. mouse and keyboard related events requested by its controller.


Tick (also known as BRONZE BUTLER or REDBALDKNIGHT) is a hacker group believed to have been active since at least 2006, primarily targeting countries in the APAC region. The group's cyber espionage activities are primarily the theft of classified information and intellectual property. Tick uses a set of proprietary, custom-made malicious tools designed for persistent access to compromised machines for reconnaissance, data exfiltration, and tool downloading.


For more technical information on Tick's latest campaign, see the article "The slow Tick-ing time bomb: Tick APT group compromised of a DLP software developer in East Asia" on WeLiveSecurity. Follow ESET Research on Twitter.




0 views0 comments

Comments


bottom of page