ESET researchers have uncovered a cyberespionage attack that targeted an East Asian data-loss prevention (DLP) company, which provides services to government and military entities. The attack was attributed with high confidence to the Tick APT group, which has been active since at least 2006 and is known for its cyberespionage operations.
Based on Tick’s profile, and the compromised company’s high-value customer portfolio, the objective of the attack was most likely cyberespionage. The attackers compromised internal update servers and third-party tools used by the company. They also deployed at least three malware families. As a result, two of the company's customers were subsequently compromised.
According to ESET telemetry, in March 2021 the attackers deployed malware to several machines of the software developer company. The malware included variants of the Netboy and Ghostdown families, and a previously undocumented downloader named ShadowPy. In April, the attackers began to introduce trojanized copies of the Q-dir installers in the network of the compromised company. In June and September 2021, in the network of the compromised company, the component that performs updates for the software developed by the compromised company downloaded a package that contained a malicious executable. In February and June 2022, the trojanized Q-dir installers were transferred via remote support tools to customers of the compromised company.
ESET researchers attribute this attack to Tick with high confidence based on the malware found that has been previously attributed to Tick and, to the best of their knowledge, has not been shared with other APT groups, and the code similarities between ShadowPy and the loader used by Netboy.
If you have any questions about how ESET can help your buisness or want to learn more information, please reach out to one of our Account Managers here at CMS Distribution.