Tick, Tick, Tick…Boom: Chinese Tick APT Plays the Long Game

Summary

Chinese-linked Tick advanced persistent threat (APT) group, a.k.a. Bronze Butler, REDBALDKNIGHT, Stalker Panda, and Stalker Taurus, has been attributed to a long-lasting operation against an East Asian data loss prevention (DLP) software company. During this extensive intrusion, Tick deployed at least three different types of malware, including a previously unknown downloader. After successfully compromising update servers and other tools used by the DLP, Tick compromised two of the DLP’s customers. This operation highlights Tick’s stealth capabilities and cyber espionage motivations.

Tick APT Background

First seen in 2006, Tick has been conducting cyber espionage operations throughout the Asia-Pacific (APAC) region for nearly two decades. Tick appears to have close ties to the Chinese National University of Defense and Technology, which has suspected links to the Chinese military. Given their apparent government ties, they have historically targeted government, manufacturing, and biotechnology companies in Japan, Taiwan, Hong Kong, and the United States. Stealing classified information and intellectual property from organizations in these industries supports the Chinese government’s agenda.

Attack Details

Historically, Tick has been known to exploit the ProxyLogon vulnerabilities in Microsoft Exchange Server. However, the initial access point for this specific attack is unknown. The first indication that the East Asian DLP had a breach was in March 2021, when security researchers identified traces of the attacker’s malware (variants of Netboy, Gh0st malware families, and ShadowPy) on several machines of the software company. Although the exact infection date is unknown, it’s evident the attackers maintained persistence on the network by utilizing malicious loader dynamic link libraries (DLLs) in conjunction with legitimate signed applications vulnerable to DLL search order hijacking. These DLLs were then used to decode and inject the payload into a designated process. By April, the attackers began deploying a trojanized copy of the legitimate app Q-Dir into the compromised network. This malicious version of Q-Dir went on to drop ReVBShell, an open-source VBScript backdoor, as well as a legitimate copy of the app itself. The compromised internal server sent malicious update packages to individual machines in June 2021, and again in September of the same year. The update was in the form of an archive file format (ZIP) that contained a malicious executable file, which was applied by the legitimate update agent onto the individual hosts. Then, in February and June 2022, the malicious Q-Dir installers were transferred to two of the DLPs customers using remote support tools, presumably when the DLP was providing technical support to the customers.

Custom Malware ToolKit

Tick employs an exclusive custom malware toolset designed for persistent access to compromised machines, reconnaissance, data exfiltration, and download of tools. The group’s toolkit includes:

ShadowPy: A downloader developed in Python and converted into a Windows executable using a customized version of py2exe. It contacts its command and control (C&C) to obtain Python scripts to execute.
Netboy (a.k.a. Invader or Kickesgo): This backdoor programmed in Delphi supports 34 commands that allow the attackers to capture the screen, perform mouse and keyboard events on the compromised machine, manipulate files and services, and obtain system and network information, among other capabilities.
Gh0stdown: A custom variant of Gh0st remote access trojan (RAT).
ReVBShell: An open-source backdoor with very basic capabilities. It’s written in VBScript with Python controller code. Sever communication is over Hypertext Transfer Protocol (HTTP) with GET and POST requests.

Conclusion

This endurance operation showcases Tick’s ability to remain undetected on a network and perform a potential supply chain attack. Its exclusive custom malware tools and capabilities highlight the threats it poses to organizations, especially in the APAC region. Tick will likely continue to conduct cyberespionage attacks against companies in government, manufacturing, and biotechnology, in support of the Chinese government’s overall agenda.

The Critical Start Cyber Threat Intelligence (CTI) team will continue to monitor the situation and work closely with the Threat Detection Engineering (TDE) team and the SOC to implement any relevant detections. For future updates, the CTI team will post via ZTAP® Bulletins and on the Critical Start Intelligence Hub.

References: