April 13, 2024

ESET Analysis uncovered a marketing campaign by APT group Tick in opposition to a data-loss prevention firm in East Asia and located a beforehand unreported software utilized by the group

ESET researchers found a marketing campaign that we attribute with excessive confidence to the APT group Tick. The incident occurred within the community of an East Asian firm that develops data-loss prevention (DLP) software program.

The attackers compromised the DLP firm’s inner replace servers to ship malware contained in the software program developer’s community, and trojanized installers of authentic instruments utilized by the corporate, which finally resulted within the execution of malware on the computer systems of the corporate’s prospects.

On this blogpost, we offer technical particulars in regards to the malware detected within the networks of the compromised firm and of its prospects. Throughout the intrusion, the attackers deployed a beforehand undocumented downloader named ShadowPy, and so they additionally deployed the Netboy backdoor (aka Invader) and Ghostdown downloader.

Based mostly on Tick’s profile, and the compromised firm’s high-value buyer portfolio, the target of the assault was probably cyberespionage. How the data-loss prevention firm was initially compromised is unknown.

Key factors on this blogpost:

  • ESET researchers uncovered an assault occurring within the community of an East Asian data-loss prevention firm with a buyer portfolio that features authorities and navy entities.
  • ESET researchers attribute this assault with excessive confidence to the Tick APT group.
  • The attackers deployed at the very least three malware households and compromised replace servers and instruments utilized by the corporate. Consequently, two of their prospects have been compromised.
  • The investigation revealed a beforehand undocumented downloader named ShadowPy.

Tick overview

Tick (often known as BRONZE BUTLER or REDBALDKNIGHT) is an APT group, suspected of being active since at least 2006, focusing on primarily international locations within the APAC area. This group is of curiosity for its cyberespionage operations, which concentrate on stealing categorized data and mental property.

Tick employs an unique customized malware toolset designed for persistent entry to compromised machines, reconnaissance, information exfiltration, and obtain of instruments. Our newest report into Tick’s exercise discovered it exploiting the ProxyLogon vulnerability to compromise a South Korean IT firm, as one of many teams with entry to that distant code execution exploit earlier than the vulnerability was publicly disclosed. Whereas nonetheless a zero-day, the group used the exploit to put in a webshell to deploy a backdoor on a webserver.

Assault overview

In March 2021, via unknown means, attackers gained entry to the community of an East Asian software program developer firm.

The attackers deployed persistent malware and changed installers of a authentic utility often called Q-dir with trojanized copies that, when executed, dropped an open-source VBScript backdoor named ReVBShell, in addition to a replica of the authentic Q-Dir utility. This led to the execution of malicious code in networks of two of the compromised firm’s prospects when the trojanized installers have been transferred through distant help software program – our speculation is that this occurred whereas the DLP firm supplied technical help to their prospects.

The attackers additionally compromised replace servers, which delivered malicious updates on two events to machines contained in the community of the DLP firm. Utilizing ESET telemetry, we didn’t detect every other circumstances of malicious updates outdoors the DLP firm’s community.

The shopper portfolio of the DLP firm contains authorities and navy entities, making the compromised firm an particularly enticing goal for an APT group comparable to Tick.

Timeline

In response to ESET telemetry, in March 2021 the attackers deployed malware to a number of machines of the software program developer firm. The malware included variants of the Netboy and Ghostdown households, and a beforehand undocumented downloader named ShadowPy.

In April, the attackers started to introduce trojanized copies of the Q-dir installers within the community of the compromised firm.

In June and September 2021, within the community of the compromised firm, the part that performs updates for the software program developed by the compromised firm downloaded a package deal that contained a malicious executable.

In February and June 2022, the trojanized Q-dir installers have been transferred through distant help instruments to prospects of the compromised firm.

Determine 1. Timeline of the assault and associated incidents.

Compromised replace servers

The primary incident the place an replace containing malware was registered was in June, after which once more in September, 2021. On each circumstances the replace was delivered to machines contained in the DLP firm’s community.

The replace got here within the type of a ZIP archive that contained a malicious executable file. It was deployed and executed by a authentic replace agent from software program developed by the compromised firm. The chain of compromise is illustrated in Determine 2.

Determine 2. Illustration of the chain of compromise

The primary detected case occurred in June 2021, and the replace was downloaded from an inner server and deployed. The second case occurred in September 2021, from a public-facing server.

The malicious executable points an HTTP GET request to http://103.127.124[.]117/index.html to acquire the important thing to decrypt the embedded payload, which is encrypted with the RC6 algorithm. The payload is dropped to the %TEMP% listing with a random title and a .vbe extension, and is then executed.

Though we’ve not obtained the dropped pattern from the compromised machine, based mostly on the detection (VBS/Agent.DL), we’ve excessive confidence that the detected script was the open-source backdoor ReVBShell.

Utilizing ESET telemetry, we didn’t determine any prospects of the DLP firm who had acquired any malicious recordsdata via the software program developed by that firm. Our speculation is that the attackers compromised the replace servers to maneuver laterally on the community, to not carry out a supply-chain assault in opposition to exterior prospects.

Trojanized Q-Dir installers

Q-Dir is a authentic utility developed by SoftwareOK that enables its consumer to navigate 4 folders on the identical time throughout the identical window, as proven in Determine 3. We consider that the authentic utility is a part of a toolkit utilized by staff of the compromised firm, based mostly on the place the detections originated contained in the community.

Determine 3. Screenshot of the Q-Dir utility

In response to ESET telemetry, beginning in April 2021, two months earlier than the detection of the malicious updates, the attackers started to introduce 32- and 64-bit trojanized installers of the appliance into the compromised firm’s community.

We discovered two circumstances, in February and June 2022, the place the trojanized installers have been transferred by the distant help instruments helpU and ANYSUPPORT, to computer systems of two corporations positioned in East Asia, one within the engineering vertical, and the opposite a producing business.

These computer systems had software program from the compromised firm put in on them, and the trojanized Q-dir installer was acquired minutes after the help software program was put in by the customers.

Our speculation is that the shoppers of the compromised DLP firm have been receiving technical help from that firm, through a kind of distant help functions and the malicious installer was used unknowingly to service the shoppers of the DLP firm; it’s unlikely that the attackers put in help instruments to switch the trojanized installers themselves.

32-bit installer

The method used to trojanize the installer includes injecting shellcode right into a cavity on the finish of the Part Headers desk – the appliance was compiled utilizing 0x1000 for FileAlignment and SectionAlignment, leaving in a cavity of 0xD18 bytes – giant sufficient to accommodate the malicious, position-independent shellcode. The entry level code of the appliance is patched with a JMP instruction that factors to the shellcode, and is positioned proper after the decision to WinMain (Determine 4); due to this fact the malicious code is simply executed after the appliance’s authentic code finishes its execution.

Determine 4. The meeting code exhibits the JMP instruction that diverts execution circulate to the shellcode. The hexadecimal dump exhibits the shellcode on the finish of the PE’s part headers.

The shellcode, proven in Determine 5, downloads an unencrypted payload from http://softsrobot[.]com/index.html to %TEMPpercentChromeUp.exe by default; if the file can’t be created, it will get a brand new title utilizing the GetTempFileNameA API.

Determine 5. Decompiled code of the perform that orchestrates downloading the binary file and writing it to disk

64-bit installer

Whereas just one malicious 32-bit installer was discovered, the 64-bit installers have been detected in a number of locations all through the DLP firm’s community. The installer comprises the Q-Dir utility and an encoded (VBE) ReVBShell backdoor that was personalized by the attackers; each of them have been compressed with LZO and encrypted with RC6. The recordsdata are dropped within the %TEMP% listing and executed.

ReVBShell

ReVBShell is an open-source backdoor with very fundamental capabilities. The backdoor code is written in VBScript and the controller code is written in Python. Communication with the server is over HTTP with GET and POST requests.

The backdoor helps a number of instructions, together with:

  • Getting pc title, working system title, structure, and language model of the working system
  • Getting username and area title
  • Getting community adapter data
  • Itemizing working processes
  • Executing shell instructions and sending again output
  • Altering present listing
  • Downloading a file from a given URL
  • Importing a requested file

We consider that the attackers used ReVBShell model 1.0, based mostly on the primary department commit historical past on GitHub.

Extra in regards to the DLP firm compromise

On this part, we offer extra particulars about instruments and malware households that Tick deployed within the compromised software program firm’s community.

To take care of persistent entry, the attackers deployed malicious loader DLLs together with authentic signed functions weak to DLL search-order hijacking. The aim of those DLLs is to decode and inject a payload into a chosen course of (in all circumstances of this incident, all loaders have been configured to inject into svchost.exe).

The payload in every loader is considered one of three malware households: ShadowPy, Ghostdown, or Netboy. Determine 6 illustrates the loading course of.

Determine 6. Excessive-level overview of the Tick malware loading course of

On this report we are going to concentrate on analyzing the ShadowPy downloader and Netboy backdoor.

ShadowPy

ShadowPy is a downloader developed in Python and transformed right into a Home windows executable utilizing a personalized model of py2exe. The downloader contacts its C&C to acquire Python scripts to execute.

Based mostly on our findings, we consider the malware was developed at the very least two years earlier than the compromise of the DLP firm in 2021. Now we have not noticed every other incidents the place ShadowPy was deployed.

Customized py2exe loader

As beforehand described, the malicious DLL loader is launched through DLL side-loading; within the case of ShadowPy we noticed vssapi.dll being side-loaded by avshadow.exe, a authentic software program part from the Avira safety software program suite.

The malicious DLL comprises, encrypted in its overlay, three main parts: the py2exe customized loader, the Python engine and the PYC code. First, the DLL loader code locates the customized py2exe loader in its overlay and decrypts it utilizing a NULL-preserving XOR utilizing 0x56 as the important thing, then it hundreds it in reminiscence and injects it in a brand new svchost.exe course of that it creates. Then the entry level of the customized py2exe loader is executed on the distant course of.The distinction between the unique py2exe loader code and the personalized model utilized by Tick, is that the customized loader reads the contents of the malicious vssapi.dll from disk and searches for the Python engine and the PYC code within the overlay, whereas the original locates the engine and the PYC code within the useful resource part.

The loading chain is illustrated in Determine 7.

Determine 7. Excessive-level overview of the steps taken to execute the PYC payload

Python downloader

The PYC code is a straightforward downloader whose function is to retrieve a Python script and execute it in a brand new thread. This downloader randomly picks a URL from an inventory (though for the samples we analyzed just one URL was current) and builds a novel ID for the compromised machine by constructing a string composed of the next information:

  • Machine native IP deal with
  • MAC deal with
  • Username (as returned by the %username% atmosphere variable)
  • Area and username (outcomes of the whoami command)
  • Community pc title (as returned by Python’s platform.node perform)
  • Working system data (as returned by Python’s platform.platform perform)
  • Structure data (as returned by Python’s platform.structure perform)

Lastly, it makes use of abs(zlib.crc32(<STRING>)) to generate the worth that can function an ID. The ID is inserted in the course of a string composed of random characters and is additional obfuscated, then it’s appended to the URL as proven in Determine 8.

Determine 8. Decompiled Python code that prepares the URL, appending the obfuscated distinctive consumer ID

It points an HTTP GET request to travelasist[.]com to obtain a brand new payload that’s XOR-decrypted with a set, single-byte key, 0xC3, then base64-decoded; the result’s decrypted utilizing the AES algorithm in CFB mode with a 128-bit key and IV supplied with the payload. Lastly it’s decompressed utilizing zlib and executed in a brand new thread.

Netboy

Netboy (aka Invader) is a backdoor programmed in Delphi; it helps 34 instructions that enable the attackers to seize the display screen, carry out mouse and keyboard occasions on the compromised machine, manipulate recordsdata and providers, and acquire system and community data, amongst different capabilities.

Community protocol

Netboy communicates with its C&C server over TCP. The packet format used to change data between the backdoor and its C&C is described in Determine 9.

Determine 9. Illustration of the C&C packet format applied by Netboy

With the intention to fingerprint its packets, it generates two random numbers (first two fields within the header) which might be XORed collectively (as proven in Determine 10) to kind a 3rd worth that’s used to validate the packet.

Determine 10. Decompiled code that generates two random numbers and combines them to generate a packet fingerprint worth

Packet validation is proven in Determine 11, when the backdoor receives a brand new command from its controller.

Determine 11. Decompiled code that performs validation of a newly acquired packet

The packet header additionally comprises the scale of the encrypted compressed information, and the scale of the uncompressed information plus the scale (DWORD) of one other subject containing a random quantity (not used for validation) that’s prepended to the info earlier than it’s compressed, as proven in Determine 12.

Determine 12. Decompiled code that creates a brand new packet to be despatched to the controller

For compression, Netboy makes use of a variant of the LZRW household of compression algorithms and for encryption it makes use of the RC4 algorithm with a 256-bit key made up of ASCII characters.

Backdoor instructions

Netboy helps 34 instructions; nonetheless, in Desk 1 we describe solely 25 of probably the most outstanding ones giving the attackers sure capabilities on the compromised techniques.

Desk 1. Most fascinating Netboy backdoor instructions

Command ID Description
0x05 Create new TCP socket and retailer acquired information from its controller to a brand new file.
0x06 Create new TCP socket and browse file; ship contents to the controller.
0x08 Will get native host title, reminiscence data, system listing path, and configured working hours vary for the backdoor (for instance, between 14-18).
0x0A Listing community assets which might be servers.
0x0B Listing recordsdata in a given listing.
0x0C Listing drives.
0x0E Execute program with ShellExecute Home windows API.
0x0F Delete file.
0x10 Listing processes.
0x11 Enumerate modules in a course of.
0x12 Terminate course of.
0x13 Execute program and get output.
0x16 Obtain a brand new file from the server and execute with ShellExecute Home windows API.
0x1D Create reverse shell.
0x1E Terminate shell course of.
0x1F Get TCP and UDP connections data utilizing the WinSNMP API.
0x23 Listing providers.
0x24 Begin service specified by the controller.
0x25 Cease service specified by the controller.
0x26 Create a brand new service. Particulars comparable to service title, description, and path are acquired from the controller.
0x27 Delete service specified by the controller.
0x28 Set TCP connection state.
0x29 Begin display screen seize and ship to the controller each 10 milliseconds.
0x2A Cease display screen seize.
0x2B Carry out mouse and keyboard occasions requested by the controller.

Attribution

We attribute this assault to Tick with excessive confidence based mostly on the malware discovered that has been beforehand attributed to Tick, and to the perfect of our information has not been shared with different APT teams, and the code similarities between ShadowPy and the loader utilized by Netboy.

Moreover, domains utilized by the attackers to contact their C&C servers have been beforehand attributed to Tick in previous circumstances: waterglue[.]org in 2015, and softsrobot[.]com in 2020.

Presumably associated exercise

In Could 2022, AhnLab researchers published a report about an unidentified menace actor focusing on entities and people from South Korea with CHM recordsdata that deploy a authentic executable and a malicious DLL for side-loading. The aim of the DLL is to decompress, decrypt, drop, and execute a VBE script within the %TEMP% folder. The decoded script reveals a ReVBShell backdoor as soon as once more.

We consider that marketing campaign is more likely to be associated to the assault described on this report, because the customized ReVBShell backdoor of each assaults is similar, and there are a number of code similarities between the malicious 64-bit installer (SHA-1: B9675D0EFBC4AE92E02B3BFC8CA04B01F8877DB6) and the quartz.dll pattern (SHA-1: ECC352A7AB3F97B942A6BDC4877D9AFCE19DFE55) described by AhnLab.

Conclusion

ESET researchers uncovered a compromise of an East Asian information loss prevention firm. Throughout the intrusion, the attackers deployed at the very least three malware households, and compromised replace servers and instruments utilized by the compromised firm. Consequently, two prospects of the corporate have been subsequently compromised.

Our evaluation of the malicious instruments used throughout the assault revealed beforehand undocumented malware, which we named ShadowPy. Based mostly on similarities within the malware discovered throughout the investigation, we’ve attributed the assault with excessive confidence to the Tick APT group, identified for its cyberespionage operations focusing on the APAC area.

We wish to thank Cha Minseok from AhnLab for sharing data and samples throughout our analysis.

ESET Analysis provides personal APT intelligence studies and information feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page.

IoCs

Recordsdata

SHA-1 Filename ESET detection title Description
72BDDEAD9B508597B75C1EE8BE970A7CA8EB85DC dwmapi.dll Win32/Netboy.A Netboy backdoor.
8BC1F41A4DDF5CFF599570ED6645B706881BEEED vssapi.dll Win64/ShadowPy.A ShadowPy downloader.
4300938A4FD4190A47EDD0D333E26C8FE2C7451E N/A Win64/TrojanDropper.Agent.FU Trojanized Q‑dir installer, 64‑bit model. Drops the personalized ReVBShell model A.
B9675D0EFBC4AE92E02B3BFC8CA04B01F8877DB6 N/A Win64/TrojanDropper.Agent.FU Trojanized Q‑dir installer, 64‑bit model. Drops the personalized ReVBShell model B.
F54F91D143399B3C9E9F7ABF0C90D60B42BF25C9 N/A Win32/TrojanDownloader.Agent.GBY Trojanized Q-dir installer, 32-bit model.
FE011D3BDF085B23E6723E8F84DD46BA63B2C700 N/A VBS/Agent.DL Custom-made ReVBShell backdoor model A.
02937E4A804F2944B065B843A31390FF958E2415 N/A VBS/Agent.DL Custom-made ReVBShell backdoor model B.

Community

IP Supplier First seen Particulars
115.144.69[.]108 KINX 2021‑04‑14 travelasist[.]com
ShadowPY C&C server
110.10.16[.]56 SK Broadband Co Ltd 2020‑08‑19 mssql.waterglue[.]org
Netboy C&C server
103.127.124[.]117 MOACK.Co.LTD 2020‑10‑15 Server contacted by the malicious replace executable to retrieve a key for decryption.
103.127.124[.]119 MOACK.Co.LTD 2021-04-28 slientship[.]com
ReVBShell backdoor model A server.
103.127.124[.]76 MOACK.Co.LTD 2020‑06‑26 ReVBShell backdoor model B server.
58.230.118[.]78 SK Broadband Co Ltd 2022-01-25 oracle.eneygylakes[.]com
Ghostdown server.
192.185.89[.]178 Community Options, LLC 2020-01-28 Server contacted by the malicious 32-bit installer to retrieve a payload.

MITRE ATT&CK methods

This desk was constructed utilizing version 12 of the MITRE ATT&CK framework.

Tactic ID Title Description
Preliminary Entry T1195.002 Provide Chain Compromise: Compromise Software program Provide Chain Tick compromised replace servers to ship malicious replace packages through the software program developed by the compromised firm.
T1199 Trusted Relationship Tick changed authentic functions utilized by technical help to compromise prospects of the corporate.
Execution T1059.005 Command and Scripting Interpreter: Visible Primary Tick used a personalized model of ReVBShell written in VBScript.
T1059.006 Command and Scripting Interpreter: Python ShadowPy malware makes use of a downloader written in Python.
Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Netboy and ShadowPy loaders persist through a Run key.
T1543.003 Create or Modify System Course of: Home windows Service Netboy and ShadowPy loaders persist by making a service.
T1574.002 Hijack Execution Stream: DLL Aspect-Loading Netboy and ShadowPy loaders use authentic service and outline names when creating providers.
Protection Evasion T1036.004 Masquerading: Masquerade Job or Service Netboy and ShadowPy loaders use authentic service and outline names when creating providers.
T1036.005 Masquerading: Match Reputable Title or Location Netboy and ShadowPy loaders use authentic service and outline names when creating providers.
T1027 Obfuscated Recordsdata or Info Netboy, ShadowPy, and their loader use encrypted: payloads, strings, configuration. Loaders comprise rubbish code.
T1027.001 Obfuscated Recordsdata or Info: Binary Padding Netboy and ShadowPy loaders DLLs are padded to keep away from safety options from importing samples.
T1055.002 Course of Injection: Moveable Executable Injection Netboy and ShadowPy loaders inject a PE right into a preconfigured system course of.
T1055.003 Course of Injection: Thread Execution Hijacking Netboy and ShadowPy loaders hijack the primary thread of the system course of to switch execution to the injected malware.
Discovery T1135 Community Share Discovery Netboy has community discovery capabilities.
T1120 Peripheral Gadget Discovery Netboy enumerates all accessible drives.
T1057 Course of Discovery Netboy and ReVBShell have course of enumeration capabilities.
T1082 System Info Discovery Netboy and ReVBShell, collect system data.
T1033 System Proprietor/Person Discovery Netboy and ReVBShell, collect consumer data.
T1124 System Time Discovery Netboy makes use of system time to contact its C&C solely throughout a sure time vary.
Lateral Motion T1080 Taint Shared Content material Tick changed authentic functions utilized by technical help, which resulted additionally in malware execution throughout the compromised community on beforehand clear techniques.
Assortment T1039 Knowledge from Community Shared Drive Netboy and ReVBShell have capabilities to gather recordsdata.
T1113 Display screen Seize Netboy has screenshot capabilities.
Command and Management T1071.001 Utility Layer Protocol: Net Protocols ShadowPy and ReVBShell talk through HTTP protocol with their C&C server.
T1132.001 Knowledge Encoding: Customary Encoding Tick’s personalized ReVBShell makes use of base64 to encode communication with their C&C servers.
T1573 Encrypted Channel Netboy makes use of RC4. ShadowPy makes use of AES.
Exfiltration T1041 Exfiltration Over C2 Channel Netboy and ReVBShell have exfiltration capabilities.
T1567.002 Exfiltration Over Net Service: Exfiltration to Cloud Storage Tick deployed a customized software to obtain and exfiltrate recordsdata through an internet service.