ESET Analysis uncovered a marketing campaign by APT group Tick in opposition to a data-loss prevention firm in East Asia and located a beforehand unreported instrument utilized by the group
ESET researchers found a marketing campaign that we attribute with excessive confidence to the APT group Tick. The incident befell within the community of an East Asian firm that develops data-loss prevention (DLP) software program.
The attackers compromised the DLP firm’s inner replace servers to ship malware contained in the software program developer’s community, and trojanized installers of respectable instruments utilized by the corporate, which ultimately resulted within the execution of malware on the computer systems of the corporate’s prospects.
On this blogpost, we offer technical particulars concerning the malware detected within the networks of the compromised firm and of its prospects. In the course of the intrusion, the attackers deployed a beforehand undocumented downloader named ShadowPy, they usually additionally deployed the Netboy backdoor (aka Invader) and Ghostdown downloader.
Primarily based on Tick’s profile, and the compromised firm’s high-value buyer portfolio, the target of the assault was more than likely cyberespionage. How the data-loss prevention firm was initially compromised is unknown.
- ESET researchers uncovered an assault occurring within the community of an East Asian data-loss prevention firm with a buyer portfolio that features authorities and navy entities.
- ESET researchers attribute this assault with excessive confidence to the Tick APT group.
- The attackers deployed at the very least three malware households and compromised replace servers and instruments utilized by the corporate. Because of this, two of their prospects had been compromised.
- The investigation revealed a beforehand undocumented downloader named ShadowPy.
Tick overview
Tick (also called BRONZE BUTLER or REDBALDKNIGHT) is an APT group, suspected of being active since at least 2006, concentrating on primarily international locations within the APAC area. This group is of curiosity for its cyberespionage operations, which give attention to stealing labeled info and mental property.
Tick employs an unique customized malware toolset designed for persistent entry to compromised machines, reconnaissance, knowledge exfiltration, and obtain of instruments. Our newest report into Tick’s exercise discovered it exploiting the ProxyLogon vulnerability to compromise a South Korean IT firm, as one of many teams with entry to that distant code execution exploit earlier than the vulnerability was publicly disclosed. Whereas nonetheless a zero-day, the group used the exploit to put in a webshell to deploy a backdoor on a webserver.
Assault overview
In March 2021, via unknown means, attackers gained entry to the community of an East Asian software program developer firm.
The attackers deployed persistent malware and changed installers of a respectable software often known as Q-dir with trojanized copies that, when executed, dropped an open-source VBScript backdoor named ReVBShell, in addition to a duplicate of the respectable Q-Dir software. This led to the execution of malicious code in networks of two of the compromised firm’s prospects when the trojanized installers had been transferred by way of distant assist software program – our speculation is that this occurred whereas the DLP firm offered technical assist to their prospects.
The attackers additionally compromised replace servers, which delivered malicious updates on two events to machines contained in the community of the DLP firm. Utilizing ESET telemetry, we didn’t detect another instances of malicious updates outdoors the DLP firm’s community.
The client portfolio of the DLP firm contains authorities and navy entities, making the compromised firm an particularly engaging goal for an APT group resembling Tick.
Timeline
Based on ESET telemetry, in March 2021 the attackers deployed malware to a number of machines of the software program developer firm. The malware included variants of the Netboy and Ghostdown households, and a beforehand undocumented downloader named ShadowPy.
In April, the attackers started to introduce trojanized copies of the Q-dir installers within the community of the compromised firm.
In June and September 2021, within the community of the compromised firm, the part that performs updates for the software program developed by the compromised firm downloaded a bundle that contained a malicious executable.
In February and June 2022, the trojanized Q-dir installers had been transferred by way of distant assist instruments to prospects of the compromised firm.
Determine 1. Timeline of the assault and associated incidents.
Compromised replace servers
The primary incident the place an replace containing malware was registered was in June, after which once more in September, 2021. On each instances the replace was delivered to machines contained in the DLP firm’s community.
The replace got here within the type of a ZIP archive that contained a malicious executable file. It was deployed and executed by a respectable replace agent from software program developed by the compromised firm. The chain of compromise is illustrated in Determine 2.
Determine 2. Illustration of the chain of compromise
The primary detected case occurred in June 2021, and the replace was downloaded from an inner server and deployed. The second case occurred in September 2021, from a public-facing server.
The malicious executable points an HTTP GET request to http://103.127.124[.]117/index.html to acquire the important thing to decrypt the embedded payload, which is encrypted with the RC6 algorithm. The payload is dropped to the %TEMP% listing with a random title and a .vbe extension, and is then executed.
Though now we have not obtained the dropped pattern from the compromised machine, primarily based on the detection (VBS/Agent.DL), now we have excessive confidence that the detected script was the open-source backdoor ReVBShell.
Utilizing ESET telemetry, we didn’t establish any prospects of the DLP firm who had acquired any malicious information via the software program developed by that firm. Our speculation is that the attackers compromised the replace servers to maneuver laterally on the community, to not carry out a supply-chain assault in opposition to exterior prospects.
Trojanized Q-Dir installers
Q-Dir is a respectable software developed by SoftwareOK that permits its consumer to navigate 4 folders on the identical time throughout the identical window, as proven in Determine 3. We imagine that the respectable software is a part of a toolkit utilized by staff of the compromised firm, primarily based on the place the detections originated contained in the community.
Determine 3. Screenshot of the Q-Dir software
Based on ESET telemetry, beginning in April 2021, two months earlier than the detection of the malicious updates, the attackers started to introduce 32- and 64-bit trojanized installers of the appliance into the compromised firm’s community.
We discovered two instances, in February and June 2022, the place the trojanized installers had been transferred by the distant assist instruments helpU and ANYSUPPORT, to computer systems of two corporations positioned in East Asia, one within the engineering vertical, and the opposite a producing trade.
These computer systems had software program from the compromised firm put in on them, and the trojanized Q-dir installer was acquired minutes after the assist software program was put in by the customers.
Our speculation is that the purchasers of the compromised DLP firm had been receiving technical assist from that firm, by way of a kind of distant assist functions and the malicious installer was used unknowingly to service the purchasers of the DLP firm; it’s unlikely that the attackers put in assist instruments to switch the trojanized installers themselves.
32-bit installer
The approach used to trojanize the installer entails injecting shellcode right into a cavity on the finish of the Part Headers desk – the appliance was compiled utilizing 0x1000 for FileAlignment and SectionAlignment, leaving in a cavity of 0xD18 bytes – massive sufficient to accommodate the malicious, position-independent shellcode. The entry level code of the appliance is patched with a JMP instruction that factors to the shellcode, and is positioned proper after the decision to WinMain (Determine 4); subsequently the malicious code is barely executed after the appliance’s respectable code finishes its execution.
Determine 4. The meeting code reveals the JMP instruction that diverts execution stream to the shellcode. The hexadecimal dump reveals the shellcode on the finish of the PE’s part headers.
The shellcode, proven in Determine 5, downloads an unencrypted payload from http://softsrobot[.]com/index.html to %TEMPpercentChromeUp.exe by default; if the file can’t be created, it will get a brand new title utilizing the GetTempFileNameA API.
Determine 5. Decompiled code of the perform that orchestrates downloading the binary file and writing it to disk
64-bit installer
Whereas just one malicious 32-bit installer was discovered, the 64-bit installers had been detected in a number of locations all through the DLP firm’s community. The installer incorporates the Q-Dir software and an encoded (VBE) ReVBShell backdoor that was custom-made by the attackers; each of them had been compressed with LZO and encrypted with RC6. The information are dropped within the %TEMP% listing and executed.
ReVBShell
ReVBShell is an open-source backdoor with very primary capabilities. The backdoor code is written in VBScript and the controller code is written in Python. Communication with the server is over HTTP with GET and POST requests.
The backdoor helps a number of instructions, together with:
- Getting pc title, working system title, structure, and language model of the working system
- Getting username and area title
- Getting community adapter info
- Itemizing operating processes
- Executing shell instructions and sending again output
- Altering present listing
- Downloading a file from a given URL
- Importing a requested file
We imagine that the attackers used ReVBShell model 1.0, primarily based on the primary department commit historical past on GitHub.
Extra concerning the DLP firm compromise
On this part, we offer extra particulars about instruments and malware households that Tick deployed within the compromised software program firm’s community.
To keep up persistent entry, the attackers deployed malicious loader DLLs together with respectable signed functions weak to DLL search-order hijacking. The aim of those DLLs is to decode and inject a payload into a chosen course of (in all instances of this incident, all loaders had been configured to inject into svchost.exe).
The payload in every loader is one among three malware households: ShadowPy, Ghostdown, or Netboy. Determine 6 illustrates the loading course of.
Determine 6. Excessive-level overview of the Tick malware loading course of
On this report we are going to give attention to analyzing the ShadowPy downloader and Netboy backdoor.
ShadowPy
ShadowPy is a downloader developed in Python and transformed right into a Home windows executable utilizing a custom-made model of py2exe. The downloader contacts its C&C to acquire Python scripts to execute.
Primarily based on our findings, we imagine the malware was developed at the very least two years earlier than the compromise of the DLP firm in 2021. We have now not noticed another incidents the place ShadowPy was deployed.
Customized py2exe loader
As beforehand described, the malicious DLL loader is launched by way of DLL side-loading; within the case of ShadowPy we noticed vssapi.dll being side-loaded by avshadow.exe, a respectable software program part from the Avira safety software program suite.
The malicious DLL incorporates, encrypted in its overlay, three main elements: the py2exe customized loader, the Python engine and the PYC code. First, the DLL loader code locates the customized py2exe loader in its overlay and decrypts it utilizing a NULL-preserving XOR utilizing 0x56 as the important thing, then it masses it in reminiscence and injects it in a brand new svchost.exe course of that it creates. Then the entry level of the customized py2exe loader is executed on the distant course of.The distinction between the unique py2exe loader code and the custom-made model utilized by Tick, is that the customized loader reads the contents of the malicious vssapi.dll from disk and searches for the Python engine and the PYC code within the overlay, whereas the original locates the engine and the PYC code within the useful resource part.
The loading chain is illustrated in Determine 7.
Determine 7. Excessive-level overview of the steps taken to execute the PYC payload
Python downloader
The PYC code is an easy downloader whose goal is to retrieve a Python script and execute it in a brand new thread. This downloader randomly picks a URL from an inventory (though for the samples we analyzed just one URL was current) and builds a novel ID for the compromised machine by constructing a string composed of the next knowledge:
- Machine native IP handle
- MAC handle
- Username (as returned by the %username% setting variable)
- Area and username (outcomes of the whoami command)
- Community pc title (as returned by Python’s platform.node perform)
- Working system info (as returned by Python’s platform.platform perform)
- Structure info (as returned by Python’s platform.structure perform)
Lastly, it makes use of abs(zlib.crc32(<STRING>)) to generate the worth that can function an ID. The ID is inserted in the course of a string composed of random characters and is additional obfuscated, then it’s appended to the URL as proven in Determine 8.
Determine 8. Decompiled Python code that prepares the URL, appending the obfuscated distinctive consumer ID
It points an HTTP GET request to travelasist[.]com to obtain a brand new payload that’s XOR-decrypted with a set, single-byte key, 0xC3, then base64-decoded; the result’s decrypted utilizing the AES algorithm in CFB mode with a 128-bit key and IV supplied with the payload. Lastly it’s decompressed utilizing zlib and executed in a brand new thread.
Netboy
Netboy (aka Invader) is a backdoor programmed in Delphi; it helps 34 instructions that permit the attackers to seize the display screen, carry out mouse and keyboard occasions on the compromised machine, manipulate information and providers, and acquire system and community info, amongst different capabilities.
Community protocol
Netboy communicates with its C&C server over TCP. The packet format used to alternate info between the backdoor and its C&C is described in Determine 9.
Determine 9. Illustration of the C&C packet format carried out by Netboy
To be able to fingerprint its packets, it generates two random numbers (first two fields within the header) which are XORed collectively (as proven in Determine 10) to kind a 3rd worth that’s used to validate the packet.
Determine 10. Decompiled code that generates two random numbers and combines them to generate a packet fingerprint worth
Packet validation is proven in Determine 11, when the backdoor receives a brand new command from its controller.
Determine 11. Decompiled code that performs validation of a newly acquired packet
The packet header additionally incorporates the scale of the encrypted compressed knowledge, and the scale of the uncompressed knowledge plus the scale (DWORD) of one other discipline containing a random quantity (not used for validation) that’s prepended to the info earlier than it’s compressed, as proven in Determine 12.
Determine 12. Decompiled code that creates a brand new packet to be despatched to the controller
For compression, Netboy makes use of a variant of the LZRW household of compression algorithms and for encryption it makes use of the RC4 algorithm with a 256-bit key made up of ASCII characters.
Backdoor instructions
Netboy helps 34 instructions; nonetheless, in Desk 1 we describe solely 25 of essentially the most distinguished ones giving the attackers sure capabilities on the compromised programs.
Desk 1. Most attention-grabbing Netboy backdoor instructions
| Command ID | Description |
|---|---|
| 0x05 | Create new TCP socket and retailer acquired knowledge from its controller to a brand new file. |
| 0x06 | Create new TCP socket and skim file; ship contents to the controller. |
| 0x08 | Will get native host title, reminiscence info, system listing path, and configured working hours vary for the backdoor (for instance, between 14-18). |
| 0x0A | Listing community sources which are servers. |
| 0x0B | Listing information in a given listing. |
| 0x0C | Listing drives. |
| 0x0E | Execute program with ShellExecute Home windows API. |
| 0x0F | Delete file. |
| 0x10 | Listing processes. |
| 0x11 | Enumerate modules in a course of. |
| 0x12 | Terminate course of. |
| 0x13 | Execute program and get output. |
| 0x16 | Obtain a brand new file from the server and execute with ShellExecute Home windows API. |
| 0x1D | Create reverse shell. |
| 0x1E | Terminate shell course of. |
| 0x1F | Get TCP and UDP connections info utilizing the WinSNMP API. |
| 0x23 | Listing providers. |
| 0x24 | Begin service specified by the controller. |
| 0x25 | Cease service specified by the controller. |
| 0x26 | Create a brand new service. Particulars resembling service title, description, and path are acquired from the controller. |
| 0x27 | Delete service specified by the controller. |
| 0x28 | Set TCP connection state. |
| 0x29 | Begin display screen seize and ship to the controller each 10 milliseconds. |
| 0x2A | Cease display screen seize. |
| 0x2B | Carry out mouse and keyboard occasions requested by the controller. |
Attribution
We attribute this assault to Tick with excessive confidence primarily based on the malware discovered that has been beforehand attributed to Tick, and to the perfect of our data has not been shared with different APT teams, and the code similarities between ShadowPy and the loader utilized by Netboy.
Moreover, domains utilized by the attackers to contact their C&C servers had been beforehand attributed to Tick in previous instances: waterglue[.]org in 2015, and softsrobot[.]com in 2020.
Probably associated exercise
In Could 2022, AhnLab researchers published a report about an unidentified menace actor concentrating on entities and people from South Korea with CHM information that deploy a respectable executable and a malicious DLL for side-loading. The aim of the DLL is to decompress, decrypt, drop, and execute a VBE script within the %TEMP% folder. The decoded script reveals a ReVBShell backdoor as soon as once more.
We imagine that marketing campaign is prone to be associated to the assault described on this report, because the customized ReVBShell backdoor of each assaults is identical, and there are a number of code similarities between the malicious 64-bit installer (SHA-1: B9675D0EFBC4AE92E02B3BFC8CA04B01F8877DB6) and the quartz.dll pattern (SHA-1: ECC352A7AB3F97B942A6BDC4877D9AFCE19DFE55) described by AhnLab.
Conclusion
ESET researchers uncovered a compromise of an East Asian knowledge loss prevention firm. In the course of the intrusion, the attackers deployed at the very least three malware households, and compromised replace servers and instruments utilized by the compromised firm. Because of this, two prospects of the corporate had been subsequently compromised.
Our evaluation of the malicious instruments used in the course of the assault revealed beforehand undocumented malware, which we named ShadowPy. Primarily based on similarities within the malware discovered in the course of the investigation, now we have attributed the assault with excessive confidence to the Tick APT group, identified for its cyberespionage operations concentrating on the APAC area.
We wish to thank Cha Minseok from AhnLab for sharing info and samples throughout our analysis.
IoCs
Information
| SHA-1 | Filename | ESET detection title | Description |
|---|---|---|---|
| 72BDDEAD9B508597B75C1EE8BE970A7CA8EB85DC | dwmapi.dll | Win32/Netboy.A | Netboy backdoor. |
| 8BC1F41A4DDF5CFF599570ED6645B706881BEEED | vssapi.dll | Win64/ShadowPy.A | ShadowPy downloader. |
| 4300938A4FD4190A47EDD0D333E26C8FE2C7451E | N/A | Win64/TrojanDropper.Agent.FU | Trojanized Q‑dir installer, 64‑bit model. Drops the custom-made ReVBShell model A. |
| B9675D0EFBC4AE92E02B3BFC8CA04B01F8877DB6 | N/A | Win64/TrojanDropper.Agent.FU | Trojanized Q‑dir installer, 64‑bit model. Drops the custom-made ReVBShell model B. |
| F54F91D143399B3C9E9F7ABF0C90D60B42BF25C9 | N/A | Win32/TrojanDownloader.Agent.GBY | |
| FE011D3BDF085B23E6723E8F84DD46BA63B2C700 | N/A | VBS/Agent.DL | Custom-made ReVBShell backdoor model A. |
| 02937E4A804F2944B065B843A31390FF958E2415 | N/A | VBS/Agent.DL | Custom-made ReVBShell backdoor model B. |
Community
| IP | Supplier | First seen | Particulars |
|---|---|---|---|
| 115.144.69[.]108 | KINX | 2021‑04‑14 | travelasist[.]com ShadowPY C&C server |
| 110.10.16[.]56 | SK Broadband Co Ltd | 2020‑08‑19 | mssql.waterglue[.]org Netboy C&C server |
| 103.127.124[.]117 | MOACK.Co.LTD | 2020‑10‑15 | Server contacted by the malicious replace executable to retrieve a key for decryption. |
| 103.127.124[.]119 | MOACK.Co.LTD | 2021-04-28 | slientship[.]com ReVBShell backdoor model A server. |
| 103.127.124[.]76 | MOACK.Co.LTD | 2020‑06‑26 | ReVBShell backdoor model B server. |
| 58.230.118[.]78 | SK Broadband Co Ltd | 2022-01-25 | oracle.eneygylakes[.]com Ghostdown server. |
| 192.185.89[.]178 | Community Options, LLC | 2020-01-28 | Server contacted by the malicious 32-bit installer to retrieve a payload. |
MITRE ATT&CK strategies
This desk was constructed utilizing version 12 of the MITRE ATT&CK framework.
| Tactic | ID | Identify | Description |
|---|---|---|---|
| Preliminary Entry | T1195.002 | Provide Chain Compromise: Compromise Software program Provide Chain | Tick compromised replace servers to ship malicious replace packages by way of the software program developed by the compromised firm. |
| T1199 | Trusted Relationship | Tick changed respectable functions utilized by technical assist to compromise prospects of the corporate. | |
| Execution | T1059.005 | Command and Scripting Interpreter: Visible Primary | Tick used a custom-made model of ReVBShell written in VBScript. |
| T1059.006 | Command and Scripting Interpreter: Python | ShadowPy malware makes use of a downloader written in Python. | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Netboy and ShadowPy loaders persist by way of a Run key. |
| T1543.003 | Create or Modify System Course of: Home windows Service | Netboy and ShadowPy loaders persist by making a service. | |
| T1574.002 | Hijack Execution Move: DLL Aspect-Loading | Netboy and ShadowPy loaders use respectable service and outline names when creating providers. | |
| Protection Evasion | T1036.004 | Masquerading: Masquerade Job or Service | Netboy and ShadowPy loaders use respectable service and outline names when creating providers. |
| T1036.005 | Masquerading: Match Professional Identify or Location | Netboy and ShadowPy loaders use respectable service and outline names when creating providers. | |
| T1027 | Obfuscated Information or Data | Netboy, ShadowPy, and their loader use encrypted: payloads, strings, configuration. Loaders comprise rubbish code. | |
| T1027.001 | Obfuscated Information or Data: Binary Padding | Netboy and ShadowPy loaders DLLs are padded to keep away from safety options from importing samples. | |
| T1055.002 | Course of Injection: Moveable Executable Injection | Netboy and ShadowPy loaders inject a PE right into a preconfigured system course of. | |
| T1055.003 | Course of Injection: Thread Execution Hijacking | Netboy and ShadowPy loaders hijack the primary thread of the system course of to switch execution to the injected malware. | |
| Discovery | T1135 | Community Share Discovery | Netboy has community discovery capabilities. |
| T1120 | Peripheral Gadget Discovery | Netboy enumerates all obtainable drives. | |
| T1057 | Course of Discovery | Netboy and ReVBShell have course of enumeration capabilities. | |
| T1082 | System Data Discovery | Netboy and ReVBShell, collect system info. | |
| T1033 | System Proprietor/Person Discovery | Netboy and ReVBShell, collect consumer info. | |
| T1124 | System Time Discovery | Netboy makes use of system time to contact its C&C solely throughout a sure time vary. | |
| Lateral Motion | T1080 | Taint Shared Content material | Tick changed respectable functions utilized by technical assist, which resulted additionally in malware execution throughout the compromised community on beforehand clear programs. |
| Assortment | T1039 | Knowledge from Community Shared Drive | Netboy and ReVBShell have capabilities to gather information. |
| T1113 | Display screen Seize | Netboy has screenshot capabilities. | |
| Command and Management | T1071.001 | Software Layer Protocol: Internet Protocols | ShadowPy and ReVBShell talk by way of HTTP protocol with their C&C server. |
| T1132.001 | Knowledge Encoding: Commonplace Encoding | Tick’s custom-made ReVBShell makes use of base64 to encode communication with their C&C servers. | |
| T1573 | Encrypted Channel | Netboy makes use of RC4. ShadowPy makes use of AES. | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | Netboy and ReVBShell have exfiltration capabilities. |
| T1567.002 | Exfiltration Over Internet Service: Exfiltration to Cloud Storage | Tick deployed a customized instrument to obtain and exfiltrate information by way of an online service. |
