HQ/EMEAFind out how we can help your business
Researchers attributed a recent attack against the East Asian data-loss prevention (DLP) company to Tick APT. Based on reports, this cyber espionage threat group attacked the company that aids government and military firms in securing data.
The advanced persistent threat group compromised the DLP’s internal update servers to deploy its malware within the software developer’s network. Subsequently, the actors trojanised installers of legitimate tools utilised by the targeted company. This event eventually resulted in the execution of malware on the devices of the company’s customers.
Tick APT is allegedly a China-affiliated cybercriminal operation.
According to investigations, Tick APT is known by many names, such as Stalker Panda and Stalker Taurus. However, the primary belief of many researchers is that the threat group is affiliated with China since most of its attacks target Japan’s government, manufacturing, and biotechnology companies.
Tick APT emerged as one of the threat groups that first employed the ProxyLogon vulnerability in MS Exchange servers a couple of years ago. Researchers explained that the group used the critical flaw as a zero-day to drop a Delphi-based backdoor in a web server owned by a South Korean Information Technology company.
Furthermore, this malicious entity has allegedly acquired access to the network of a software development firm via an unidentified method after the attack on the South Korean IT company. The reports did not disclose the name of the affected company.
The incident also launched a cracked version of a legitimate Q-Dir app to drop an open-source VBScript backdoor called ReVBShell. The backdoor adds to the group’s previously unidentified downloader, ShadowPy.
ShadowPy is a Python downloader that can execute a Python script recovered from a remote server. Furthermore, the actors who delivered these malicious payloads during the intrusion were variants of a Delphi backdoor called Netboy.
A Slovakian cybersecurity firm claimed that the group’s primary objective is to deploy rouge installers that its targets could unknowingly use as part of technical support activities. Hence, these threat actors are not likely to conduct supply chain attacks against their downstream customers.
