With data loss prevention (DLP) solutions, companies want to prevent internal data from leaving their own network unintentionally. But if the software provider itself is hacked, its customers are also at risk. This is what happened to the provider who also has customers from government and military institutions.
Supply chain attacks are among the dangers that are often underestimated, say the experts at IT security manufacturer ESET. They recently uncovered an attack on the network of an East Asian data loss prevention company whose customer portfolio includes government and military institutions. The ESET researchers trace this attack back to the APT group "Tick" with a high degree of probability. Based on their profile, the target of the attack was cyber espionage.
Cyber espionage by APT group Tick
“During the vendor infiltration, the attackers employed at least three malware families. In the process, they also compromised internal update servers and trojanized installers of legitimate third-party tools. This eventually led to the execution of malware on the computers of at least two customers,” explains ESET researcher Facundo Muñoz, who discovered Tick's recent operation. "The hackers used the previously undocumented downloader "ShadowPy" as well as the Netboy backdoor (aka Invader) and the Ghostdown downloader," Muñoz continues.
First attack two years ago
ESET discovered a first attack as early as 2021 and immediately informed the DLP company. In 2022, ESET telemetry registered malicious code execution on the networks of two customers of the compromised provider. Since the trojanized installers were delivered via remote maintenance software, ESET Research suspects that the machines were infected while the DLP company was providing technical support. The manufacturer of the data loss prevention solution itself was also infected after two internal update servers distributed malicious code in its own network.
New downloader called ShadowPy
The previously undocumented downloader ShadowPy was developed in Python and is loaded via a customized version of the open source project py2exe. ShadowPy contacts a remote server from which it receives new Python scripts that are decrypted and executed.
The older Netboy backdoor supports 34 commands, including collecting system information, deleting a file, downloading and running programs, capturing screen contents, and executing mouse and keyboard events requested by its controller.
About the APT group Tick
Tick (aka BRONZE BUTLER or REDBALDKNIGHT) is an APT group believed to have been active since at least 2006, targeting mostly countries in the APAC region. The group is known for its cyberespionage operations, which focus on stealing classified information and intellectual property. Tick uses an exclusive, custom-made malware toolset designed for persistent access to compromised machines, reconnaissance, data exfiltration and download of additional tools.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.