ESET Analysis uncovered a marketing campaign by APT group Tick towards a data-loss prevention firm in East Asia and located a beforehand unreported instrument utilized by the group
ESET researchers found a marketing campaign that we attribute with excessive confidence to the APT group Tick. The incident occurred within the community of an East Asian firm that develops data-loss prevention (DLP) software program.
The attackers compromised the DLP firm’s inner replace servers to ship malware contained in the software program developer’s community, and trojanized installers of respectable instruments utilized by the corporate, which finally resulted within the execution of malware on the computer systems of the corporate’s clients.
On this blogpost, we offer technical particulars in regards to the malware detected within the networks of the compromised firm and of its clients. Through the intrusion, the attackers deployed a beforehand undocumented downloader named ShadowPy, and so they additionally deployed the Netboy backdoor (aka Invader) and Ghostdown downloader.
Based mostly on Tick’s profile, and the compromised firm’s high-value buyer portfolio, the target of the assault was most probably cyberespionage. How the data-loss prevention firm was initially compromised is unknown.
- ESET researchers uncovered an assault occurring within the community of an East Asian data-loss prevention firm with a buyer portfolio that features authorities and army entities.
- ESET researchers attribute this assault with excessive confidence to the Tick APT group.
- The attackers deployed no less than three malware households and compromised replace servers and instruments utilized by the corporate. Consequently, two of their clients had been compromised.
- The investigation revealed a beforehand undocumented downloader named ShadowPy.
Tick overview
Tick (often known as BRONZE BUTLER or REDBALDKNIGHT) is an APT group, suspected of being active since at least 2006, focusing on primarily nations within the APAC area. This group is of curiosity for its cyberespionage operations, which deal with stealing categorised data and mental property.
Tick employs an unique customized malware toolset designed for persistent entry to compromised machines, reconnaissance, knowledge exfiltration, and obtain of instruments. Our newest report into Tick’s exercise discovered it exploiting the ProxyLogon vulnerability to compromise a South Korean IT firm, as one of many teams with entry to that distant code execution exploit earlier than the vulnerability was publicly disclosed. Whereas nonetheless a zero-day, the group used the exploit to put in a webshell to deploy a backdoor on a webserver.
Assault overview
In March 2021, by unknown means, attackers gained entry to the community of an East Asian software program developer firm.
The attackers deployed persistent malware and changed installers of a respectable software referred to as Q-dir with trojanized copies that, when executed, dropped an open-source VBScript backdoor named ReVBShell, in addition to a duplicate of the respectable Q-Dir software. This led to the execution of malicious code in networks of two of the compromised firm’s clients when the trojanized installers had been transferred through distant help software program – our speculation is that this occurred whereas the DLP firm offered technical help to their clients.
The attackers additionally compromised replace servers, which delivered malicious updates on two events to machines contained in the community of the DLP firm. Utilizing ESET telemetry, we didn’t detect some other instances of malicious updates outdoors the DLP firm’s community.
The client portfolio of the DLP firm consists of authorities and army entities, making the compromised firm an particularly enticing goal for an APT group corresponding to Tick.
Timeline
In response to ESET telemetry, in March 2021 the attackers deployed malware to a number of machines of the software program developer firm. The malware included variants of the Netboy and Ghostdown households, and a beforehand undocumented downloader named ShadowPy.
In April, the attackers started to introduce trojanized copies of the Q-dir installers within the community of the compromised firm.
In June and September 2021, within the community of the compromised firm, the element that performs updates for the software program developed by the compromised firm downloaded a package deal that contained a malicious executable.
In February and June 2022, the trojanized Q-dir installers had been transferred through distant help instruments to clients of the compromised firm.
Determine 1. Timeline of the assault and associated incidents.
Compromised replace servers
The primary incident the place an replace containing malware was registered was in June, after which once more in September, 2021. On each instances the replace was delivered to machines contained in the DLP firm’s community.
The replace got here within the type of a ZIP archive that contained a malicious executable file. It was deployed and executed by a respectable replace agent from software program developed by the compromised firm. The chain of compromise is illustrated in Determine 2.
Determine 2. Illustration of the chain of compromise
The primary detected case occurred in June 2021, and the replace was downloaded from an inner server and deployed. The second case occurred in September 2021, from a public-facing server.
The malicious executable points an HTTP GET request to http://103.127.124[.]117/index.html to acquire the important thing to decrypt the embedded payload, which is encrypted with the RC6 algorithm. The payload is dropped to the %TEMP% listing with a random title and a .vbe extension, and is then executed.
Though we’ve not obtained the dropped pattern from the compromised machine, primarily based on the detection (VBS/Agent.DL), we’ve excessive confidence that the detected script was the open-source backdoor ReVBShell.
Utilizing ESET telemetry, we didn’t determine any clients of the DLP firm who had acquired any malicious recordsdata by the software program developed by that firm. Our speculation is that the attackers compromised the replace servers to maneuver laterally on the community, to not carry out a supply-chain assault towards exterior clients.
Trojanized Q-Dir installers
Q-Dir is a respectable software developed by SoftwareOK that enables its person to navigate 4 folders on the similar time inside the similar window, as proven in Determine 3. We imagine that the respectable software is a part of a toolkit utilized by staff of the compromised firm, primarily based on the place the detections originated contained in the community.
Determine 3. Screenshot of the Q-Dir software
In response to ESET telemetry, beginning in April 2021, two months earlier than the detection of the malicious updates, the attackers started to introduce 32- and 64-bit trojanized installers of the applying into the compromised firm’s community.
We discovered two instances, in February and June 2022, the place the trojanized installers had been transferred by the distant help instruments helpU and ANYSUPPORT, to computer systems of two corporations positioned in East Asia, one within the engineering vertical, and the opposite a producing business.
These computer systems had software program from the compromised firm put in on them, and the trojanized Q-dir installer was acquired minutes after the help software program was put in by the customers.
Our speculation is that the purchasers of the compromised DLP firm had been receiving technical help from that firm, through a kind of distant help functions and the malicious installer was used unknowingly to service the purchasers of the DLP firm; it’s unlikely that the attackers put in help instruments to switch the trojanized installers themselves.
32-bit installer
The approach used to trojanize the installer includes injecting shellcode right into a cavity on the finish of the Part Headers desk – the applying was compiled utilizing 0x1000 for FileAlignment and SectionAlignment, leaving in a cavity of 0xD18 bytes – massive sufficient to accommodate the malicious, position-independent shellcode. The entry level code of the applying is patched with a JMP instruction that factors to the shellcode, and is positioned proper after the decision to WinMain (Determine 4); subsequently the malicious code is just executed after the applying’s respectable code finishes its execution.
Determine 4. The meeting code exhibits the JMP instruction that diverts execution stream to the shellcode. The hexadecimal dump exhibits the shellcode on the finish of the PE’s part headers.
The shellcode, proven in Determine 5, downloads an unencrypted payload from http://softsrobot[.]com/index.html to %TEMPpercentChromeUp.exe by default; if the file can’t be created, it will get a brand new title utilizing the GetTempFileNameA API.
Determine 5. Decompiled code of the perform that orchestrates downloading the binary file and writing it to disk
64-bit installer
Whereas just one malicious 32-bit installer was discovered, the 64-bit installers had been detected in a number of locations all through the DLP firm’s community. The installer accommodates the Q-Dir software and an encoded (VBE) ReVBShell backdoor that was personalized by the attackers; each of them had been compressed with LZO and encrypted with RC6. The recordsdata are dropped within the %TEMP% listing and executed.
ReVBShell
ReVBShell is an open-source backdoor with very primary capabilities. The backdoor code is written in VBScript and the controller code is written in Python. Communication with the server is over HTTP with GET and POST requests.
The backdoor helps a number of instructions, together with:
- Getting laptop title, working system title, structure, and language model of the working system
- Getting username and area title
- Getting community adapter data
- Itemizing working processes
- Executing shell instructions and sending again output
- Altering present listing
- Downloading a file from a given URL
- Importing a requested file
We imagine that the attackers used ReVBShell model 1.0, primarily based on the principle department commit historical past on GitHub.
Extra in regards to the DLP firm compromise
On this part, we offer extra particulars about instruments and malware households that Tick deployed within the compromised software program firm’s community.
To keep up persistent entry, the attackers deployed malicious loader DLLs together with respectable signed functions weak to DLL search-order hijacking. The aim of those DLLs is to decode and inject a payload into a chosen course of (in all instances of this incident, all loaders had been configured to inject into svchost.exe).
The payload in every loader is one in all three malware households: ShadowPy, Ghostdown, or Netboy. Determine 6 illustrates the loading course of.
Determine 6. Excessive-level overview of the Tick malware loading course of
On this report we’ll deal with analyzing the ShadowPy downloader and Netboy backdoor.
ShadowPy
ShadowPy is a downloader developed in Python and transformed right into a Home windows executable utilizing a personalized model of py2exe. The downloader contacts its C&C to acquire Python scripts to execute.
Based mostly on our findings, we imagine the malware was developed no less than two years earlier than the compromise of the DLP firm in 2021. We’ve not noticed some other incidents the place ShadowPy was deployed.
Customized py2exe loader
As beforehand described, the malicious DLL loader is launched through DLL side-loading; within the case of ShadowPy we noticed vssapi.dll being side-loaded by avshadow.exe, a respectable software program element from the Avira safety software program suite.
The malicious DLL accommodates, encrypted in its overlay, three main elements: the py2exe customized loader, the Python engine and the PYC code. First, the DLL loader code locates the customized py2exe loader in its overlay and decrypts it utilizing a NULL-preserving XOR utilizing 0x56 as the important thing, then it masses it in reminiscence and injects it in a brand new svchost.exe course of that it creates. Then the entry level of the customized py2exe loader is executed on the distant course of.The distinction between the unique py2exe loader code and the personalized model utilized by Tick, is that the customized loader reads the contents of the malicious vssapi.dll from disk and searches for the Python engine and the PYC code within the overlay, whereas the original locates the engine and the PYC code within the useful resource part.
The loading chain is illustrated in Determine 7.
Determine 7. Excessive-level overview of the steps taken to execute the PYC payload
Python downloader
The PYC code is a straightforward downloader whose objective is to retrieve a Python script and execute it in a brand new thread. This downloader randomly picks a URL from a listing (though for the samples we analyzed just one URL was current) and builds a singular ID for the compromised machine by constructing a string composed of the next knowledge:
- Machine native IP tackle
- MAC tackle
- Username (as returned by the %username% surroundings variable)
- Area and username (outcomes of the whoami command)
- Community laptop title (as returned by Python’s platform.node perform)
- Working system data (as returned by Python’s platform.platform perform)
- Structure data (as returned by Python’s platform.structure perform)
Lastly, it makes use of abs(zlib.crc32(<STRING>)) to generate the worth that may function an ID. The ID is inserted in the midst of a string composed of random characters and is additional obfuscated, then it’s appended to the URL as proven in Determine 8.
Determine 8. Decompiled Python code that prepares the URL, appending the obfuscated distinctive person ID
It points an HTTP GET request to travelasist[.]com to obtain a brand new payload that’s XOR-decrypted with a set, single-byte key, 0xC3, then base64-decoded; the result’s decrypted utilizing the AES algorithm in CFB mode with a 128-bit key and IV supplied with the payload. Lastly it’s decompressed utilizing zlib and executed in a brand new thread.
Netboy
Netboy (aka Invader) is a backdoor programmed in Delphi; it helps 34 instructions that enable the attackers to seize the display, carry out mouse and keyboard occasions on the compromised machine, manipulate recordsdata and providers, and procure system and community data, amongst different capabilities.
Community protocol
Netboy communicates with its C&C server over TCP. The packet format used to alternate data between the backdoor and its C&C is described in Determine 9.
Determine 9. Illustration of the C&C packet format carried out by Netboy
As a way to fingerprint its packets, it generates two random numbers (first two fields within the header) which might be XORed collectively (as proven in Determine 10) to kind a 3rd worth that’s used to validate the packet.
Determine 10. Decompiled code that generates two random numbers and combines them to generate a packet fingerprint worth
Packet validation is proven in Determine 11, when the backdoor receives a brand new command from its controller.
Determine 11. Decompiled code that performs validation of a newly acquired packet
The packet header additionally accommodates the dimensions of the encrypted compressed knowledge, and the dimensions of the uncompressed knowledge plus the dimensions (DWORD) of one other subject containing a random quantity (not used for validation) that’s prepended to the info earlier than it’s compressed, as proven in Determine 12.
Determine 12. Decompiled code that creates a brand new packet to be despatched to the controller
For compression, Netboy makes use of a variant of the LZRW household of compression algorithms and for encryption it makes use of the RC4 algorithm with a 256-bit key made up of ASCII characters.
Backdoor instructions
Netboy helps 34 instructions; nevertheless, in Desk 1 we describe solely 25 of probably the most distinguished ones giving the attackers sure capabilities on the compromised techniques.
Desk 1. Most attention-grabbing Netboy backdoor instructions
| Command ID | Description |
|---|---|
| 0x05 | Create new TCP socket and retailer acquired knowledge from its controller to a brand new file. |
| 0x06 | Create new TCP socket and skim file; ship contents to the controller. |
| 0x08 | Will get native host title, reminiscence data, system listing path, and configured working hours vary for the backdoor (for instance, between 14-18). |
| 0x0A | Checklist community assets which might be servers. |
| 0x0B | Checklist recordsdata in a given listing. |
| 0x0C | Checklist drives. |
| 0x0E | Execute program with ShellExecute Home windows API. |
| 0x0F | Delete file. |
| 0x10 | Checklist processes. |
| 0x11 | Enumerate modules in a course of. |
| 0x12 | Terminate course of. |
| 0x13 | Execute program and get output. |
| 0x16 | Obtain a brand new file from the server and execute with ShellExecute Home windows API. |
| 0x1D | Create reverse shell. |
| 0x1E | Terminate shell course of. |
| 0x1F | Get TCP and UDP connections data utilizing the WinSNMP API. |
| 0x23 | Checklist providers. |
| 0x24 | Begin service specified by the controller. |
| 0x25 | Cease service specified by the controller. |
| 0x26 | Create a brand new service. Particulars corresponding to service title, description, and path are acquired from the controller. |
| 0x27 | Delete service specified by the controller. |
| 0x28 | Set TCP connection state. |
| 0x29 | Begin display seize and ship to the controller each 10 milliseconds. |
| 0x2A | Cease display seize. |
| 0x2B | Carry out mouse and keyboard occasions requested by the controller. |
Attribution
We attribute this assault to Tick with excessive confidence primarily based on the malware discovered that has been beforehand attributed to Tick, and to the most effective of our data has not been shared with different APT teams, and the code similarities between ShadowPy and the loader utilized by Netboy.
Moreover, domains utilized by the attackers to contact their C&C servers had been beforehand attributed to Tick in previous instances: waterglue[.]org in 2015, and softsrobot[.]com in 2020.
Presumably associated exercise
In Might 2022, AhnLab researchers published a report about an unidentified risk actor focusing on entities and people from South Korea with CHM recordsdata that deploy a respectable executable and a malicious DLL for side-loading. The aim of the DLL is to decompress, decrypt, drop, and execute a VBE script within the %TEMP% folder. The decoded script reveals a ReVBShell backdoor as soon as once more.
We imagine that marketing campaign is more likely to be associated to the assault described on this report, because the customized ReVBShell backdoor of each assaults is identical, and there are a number of code similarities between the malicious 64-bit installer (SHA-1: B9675D0EFBC4AE92E02B3BFC8CA04B01F8877DB6) and the quartz.dll pattern (SHA-1: ECC352A7AB3F97B942A6BDC4877D9AFCE19DFE55) described by AhnLab.
Conclusion
ESET researchers uncovered a compromise of an East Asian knowledge loss prevention firm. Through the intrusion, the attackers deployed no less than three malware households, and compromised replace servers and instruments utilized by the compromised firm. Consequently, two clients of the corporate had been subsequently compromised.
Our evaluation of the malicious instruments used through the assault revealed beforehand undocumented malware, which we named ShadowPy. Based mostly on similarities within the malware discovered through the investigation, we’ve attributed the assault with excessive confidence to the Tick APT group, identified for its cyberespionage operations focusing on the APAC area.
We want to thank Cha Minseok from AhnLab for sharing data and samples throughout our analysis.
IoCs
Information
| SHA-1 | Filename | ESET detection title | Description |
|---|---|---|---|
| 72BDDEAD9B508597B75C1EE8BE970A7CA8EB85DC | dwmapi.dll | Win32/Netboy.A | Netboy backdoor. |
| 8BC1F41A4DDF5CFF599570ED6645B706881BEEED | vssapi.dll | Win64/ShadowPy.A | ShadowPy downloader. |
| 4300938A4FD4190A47EDD0D333E26C8FE2C7451E | N/A | Win64/TrojanDropper.Agent.FU | Trojanized Q‑dir installer, 64‑bit model. Drops the personalized ReVBShell model A. |
| B9675D0EFBC4AE92E02B3BFC8CA04B01F8877DB6 | N/A | Win64/TrojanDropper.Agent.FU | Trojanized Q‑dir installer, 64‑bit model. Drops the personalized ReVBShell model B. |
| F54F91D143399B3C9E9F7ABF0C90D60B42BF25C9 | N/A | Win32/TrojanDownloader.Agent.GBY | |
| FE011D3BDF085B23E6723E8F84DD46BA63B2C700 | N/A | VBS/Agent.DL | Personalized ReVBShell backdoor model A. |
| 02937E4A804F2944B065B843A31390FF958E2415 | N/A | VBS/Agent.DL | Personalized ReVBShell backdoor model B. |
Community
| IP | Supplier | First seen | Particulars |
|---|---|---|---|
| 115.144.69[.]108 | KINX | 2021‑04‑14 | travelasist[.]com ShadowPY C&C server |
| 110.10.16[.]56 | SK Broadband Co Ltd | 2020‑08‑19 | mssql.waterglue[.]org Netboy C&C server |
| 103.127.124[.]117 | MOACK.Co.LTD | 2020‑10‑15 | Server contacted by the malicious replace executable to retrieve a key for decryption. |
| 103.127.124[.]119 | MOACK.Co.LTD | 2021-04-28 | slientship[.]com ReVBShell backdoor model A server. |
| 103.127.124[.]76 | MOACK.Co.LTD | 2020‑06‑26 | ReVBShell backdoor model B server. |
| 58.230.118[.]78 | SK Broadband Co Ltd | 2022-01-25 | oracle.eneygylakes[.]com Ghostdown server. |
| 192.185.89[.]178 | Community Options, LLC | 2020-01-28 | Server contacted by the malicious 32-bit installer to retrieve a payload. |
MITRE ATT&CK strategies
This desk was constructed utilizing version 12 of the MITRE ATT&CK framework.
| Tactic | ID | Identify | Description |
|---|---|---|---|
| Preliminary Entry | T1195.002 | Provide Chain Compromise: Compromise Software program Provide Chain | Tick compromised replace servers to ship malicious replace packages through the software program developed by the compromised firm. |
| T1199 | Trusted Relationship | Tick changed respectable functions utilized by technical help to compromise clients of the corporate. | |
| Execution | T1059.005 | Command and Scripting Interpreter: Visible Primary | Tick used a personalized model of ReVBShell written in VBScript. |
| T1059.006 | Command and Scripting Interpreter: Python | ShadowPy malware makes use of a downloader written in Python. | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Netboy and ShadowPy loaders persist through a Run key. |
| T1543.003 | Create or Modify System Course of: Home windows Service | Netboy and ShadowPy loaders persist by making a service. | |
| T1574.002 | Hijack Execution Move: DLL Facet-Loading | Netboy and ShadowPy loaders use respectable service and outline names when creating providers. | |
| Protection Evasion | T1036.004 | Masquerading: Masquerade Job or Service | Netboy and ShadowPy loaders use respectable service and outline names when creating providers. |
| T1036.005 | Masquerading: Match Official Identify or Location | Netboy and ShadowPy loaders use respectable service and outline names when creating providers. | |
| T1027 | Obfuscated Information or Info | Netboy, ShadowPy, and their loader use encrypted: payloads, strings, configuration. Loaders include rubbish code. | |
| T1027.001 | Obfuscated Information or Info: Binary Padding | Netboy and ShadowPy loaders DLLs are padded to keep away from safety options from importing samples. | |
| T1055.002 | Course of Injection: Transportable Executable Injection | Netboy and ShadowPy loaders inject a PE right into a preconfigured system course of. | |
| T1055.003 | Course of Injection: Thread Execution Hijacking | Netboy and ShadowPy loaders hijack the principle thread of the system course of to switch execution to the injected malware. | |
| Discovery | T1135 | Community Share Discovery | Netboy has community discovery capabilities. |
| T1120 | Peripheral Gadget Discovery | Netboy enumerates all out there drives. | |
| T1057 | Course of Discovery | Netboy and ReVBShell have course of enumeration capabilities. | |
| T1082 | System Info Discovery | Netboy and ReVBShell, collect system data. | |
| T1033 | System Proprietor/Consumer Discovery | Netboy and ReVBShell, collect person data. | |
| T1124 | System Time Discovery | Netboy makes use of system time to contact its C&C solely throughout a sure time vary. | |
| Lateral Motion | T1080 | Taint Shared Content material | Tick changed respectable functions utilized by technical help, which resulted additionally in malware execution inside the compromised community on beforehand clear techniques. |
| Assortment | T1039 | Knowledge from Community Shared Drive | Netboy and ReVBShell have capabilities to gather recordsdata. |
| T1113 | Display screen Seize | Netboy has screenshot capabilities. | |
| Command and Management | T1071.001 | Utility Layer Protocol: Net Protocols | ShadowPy and ReVBShell talk through HTTP protocol with their C&C server. |
| T1132.001 | Knowledge Encoding: Customary Encoding | Tick’s personalized ReVBShell makes use of base64 to encode communication with their C&C servers. | |
| T1573 | Encrypted Channel | Netboy makes use of RC4. ShadowPy makes use of AES. | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | Netboy and ReVBShell have exfiltration capabilities. |
| T1567.002 | Exfiltration Over Net Service: Exfiltration to Cloud Storage | Tick deployed a customized instrument to obtain and exfiltrate recordsdata through an internet service. |
