ESET Research uncovered a campaign by APT group Tick against a data-loss prevention company in East Asia and found a previously unreported tool used by the group
ESET researchers discovered a campaign that we attribute with high confidence to the APT group Tick. The incident took place in the network of an East Asian company that develops data-loss prevention (DLP) software.
The attackers compromised the DLP company’s internal update servers to deliver malware inside the software developer’s network, and trojanized installers of legitimate tools used by the company, which eventually resulted in the execution of malware on the computers of the company’s customers.
In this blogpost, we provide technical details about the malware detected in the networks of the compromised company and of its customers. During the intrusion, the attackers deployed a previously undocumented downloader named ShadowPy, and they also deployed the Netboy backdoor (aka Invader) and Ghostdown downloader.
Based on Tick’s profile, and the compromised company’s high-value customer portfolio, the objective of the attack was most likely cyberespionage. How the data-loss prevention company was initially compromised is unknown.
- ESET researchers uncovered an attack occurring in the network of an East Asian data-loss prevention company with a customer portfolio that includes government and military entities.
- ESET researchers attribute this attack with high confidence to the Tick APT group.
- The attackers deployed at least three malware families and compromised update servers and tools used by the company. As a result, two of their customers were compromised.
- The investigation revealed a previously undocumented downloader named ShadowPy.
Tick (also known as BRONZE BUTLER or REDBALDKNIGHT) is an APT group, suspected of being active since at least 2006, targeting mainly countries in the APAC region. This group is of interest for its cyberespionage operations, which focus on stealing classified information and intellectual property.
Tick employs an exclusive custom malware toolset designed for persistent access to compromised machines, reconnaissance, data exfiltration, and download of tools. Our latest report into Tick’s activity found it exploiting the ProxyLogon vulnerability to compromise a South Korean IT company, as one of the groups with access to that remote code execution exploit before the vulnerability was publicly disclosed. While still a zero-day, the group used the exploit to install a webshell to deploy a backdoor on a webserver.
In March 2021, through unknown means, attackers gained access to the network of an East Asian software developer company.
The attackers deployed persistent malware and replaced installers of a legitimate application known as Q-dir with trojanized copies that, when executed, dropped an open-source VBScript backdoor named ReVBShell, as well as a copy of the legitimate Q-Dir application. This led to the execution of malicious code in networks of two of the compromised company’s customers when the trojanized installers were transferred via remote support software – our hypothesis is that this occurred while the DLP company provided technical support to their customers.
The attackers also compromised update servers, which delivered malicious updates on two occasions to machines inside the network of the DLP company. Using ESET telemetry, we didn’t detect any other cases of malicious updates outside the DLP company’s network.
The customer portfolio of the DLP company includes government and military entities, making the compromised company an especially attractive target for an APT group such as Tick.
According to ESET telemetry, in March 2021 the attackers deployed malware to several machines of the software developer company. The malware included variants of the Netboy and Ghostdown families, and a previously undocumented downloader named ShadowPy.
In April, the attackers began to introduce trojanized copies of the Q-dir installers in the network of the compromised company.
In June and September 2021, in the network of the compromised company, the component that performs updates for the software developed by the compromised company downloaded a package that contained a malicious executable.
In February and June 2022, the trojanized Q-dir installers were transferred via remote support tools to customers of the compromised company.
Compromised update servers
The first incident where an update containing malware was registered was in June, and then again in September, 2021. On both cases the update was delivered to machines inside the DLP company’s network.
The update came in the form of a ZIP archive that contained a malicious executable file. It was deployed and executed by a legitimate update agent from software developed by the compromised company. The chain of compromise is illustrated in Figure 2.
The first detected case occurred in June 2021, and the update was downloaded from an internal server and deployed. The second case occurred in September 2021, from a public-facing server.
The malicious executable issues an HTTP GET request to http://103.127.124[.]117/index.html to obtain the key to decrypt the embedded payload, which is encrypted with the RC6 algorithm. The payload is dropped to the %TEMP% directory with a random name and a .vbe extension, and is then executed.
Although we have not obtained the dropped sample from the compromised machine, based on the detection (VBS/Agent.DL), we have high confidence that the detected script was the open-source backdoor ReVBShell.
Using ESET telemetry, we didn’t identify any customers of the DLP company who had received any malicious files through the software developed by that company. Our hypothesis is that the attackers compromised the update servers to move laterally on the network, not to perform a supply-chain attack against external customers.
Trojanized Q-Dir installers
Q-Dir is a legitimate application developed by SoftwareOK that allows its user to navigate four folders at the same time within the same window, as shown in Figure 3. We believe that the legitimate application is part of a toolkit used by employees of the compromised company, based on where the detections originated inside the network.
According to ESET telemetry, starting in April 2021, two months before the detection of the malicious updates, the attackers began to introduce 32- and 64-bit trojanized installers of the application into the compromised company’s network.
We found two cases, in February and June 2022, where the trojanized installers were transferred by the remote support tools helpU and ANYSUPPORT, to computers of two companies located in East Asia, one in the engineering vertical, and the other a manufacturing industry.
These computers had software from the compromised company installed on them, and the trojanized Q-dir installer was received minutes after the support software was installed by the users.
Our hypothesis is that the customers of the compromised DLP company were receiving technical support from that company, via one of those remote support applications and the malicious installer was used unknowingly to service the customers of the DLP company; it is unlikely that the attackers installed support tools to transfer the trojanized installers themselves.
The technique used to trojanize the installer involves injecting shellcode into a cavity at the end of the Section Headers table – the application was compiled using 0x1000 for FileAlignment and SectionAlignment, leaving in a cavity of 0xD18 bytes – large enough to accommodate the malicious, position-independent shellcode. The entry point code of the application is patched with a JMP instruction that points to the shellcode, and is located right after the call to WinMain (Figure 4); therefore the malicious code is only executed after the application’s legitimate code finishes its execution.
The shellcode, shown in Figure 5, downloads an unencrypted payload from http://softsrobot[.]com/index.html to %TEMP%ChromeUp.exe by default; if the file cannot be created, it gets a new name using the GetTempFileNameA API.
While only one malicious 32-bit installer was found, the 64-bit installers were detected in several places throughout the DLP company’s network. The installer contains the Q-Dir application and an encoded (VBE) ReVBShell backdoor that was customized by the attackers; both of them were compressed with LZO and encrypted with RC6. The files are dropped in the %TEMP% directory and executed.
ReVBShell is an open-source backdoor with very basic capabilities. The backdoor code is written in VBScript and the controller code is written in Python. Communication with the server is over HTTP with GET and POST requests.
The backdoor supports several commands, including:
- Getting computer name, operating system name, architecture, and language version of the operating system
- Getting username and domain name
- Getting network adapter information
- Listing running processes
- Executing shell commands and sending back output
- Changing current directory
- Downloading a file from a given URL
- Uploading a requested file
We believe that the attackers used ReVBShell version 1.0, based on the main branch commit history on GitHub.
More about the DLP company compromise
In this section, we provide more details about tools and malware families that Tick deployed in the compromised software company’s network.
To maintain persistent access, the attackers deployed malicious loader DLLs along with legitimate signed applications vulnerable to DLL search-order hijacking. The purpose of these DLLs is to decode and inject a payload into a designated process (in all cases of this incident, all loaders were configured to inject into svchost.exe).
The payload in each loader is one of three malware families: ShadowPy, Ghostdown, or Netboy. Figure 6 illustrates the loading process.
In this report we will focus on analyzing the ShadowPy downloader and Netboy backdoor.
ShadowPy is a downloader developed in Python and converted into a Windows executable using a customized version of py2exe. The downloader contacts its C&C to obtain Python scripts to execute.
Based on our findings, we believe the malware was developed at least two years before the compromise of the DLP company in 2021. We have not observed any other incidents where ShadowPy was deployed.
Custom py2exe loader
As previously described, the malicious DLL loader is launched via DLL side-loading; in the case of ShadowPy we observed vssapi.dll being side-loaded by avshadow.exe, a legitimate software component from the Avira security software suite.
The malicious DLL contains, encrypted in its overlay, three major components: the py2exe custom loader, the Python engine and the PYC code. First, the DLL loader code locates the custom py2exe loader in its overlay and decrypts it using a NULL-preserving XOR using 0x56 as the key, then it loads it in memory and injects it in a new svchost.exe process that it creates. Then the entry point of the custom py2exe loader is executed on the remote process.The difference between the original py2exe loader code and the customized version used by Tick, is that the custom loader reads the contents of the malicious vssapi.dll from disk and searches for the Python engine and the PYC code in the overlay, whereas the original locates the engine and the PYC code in the resource section.
The loading chain is illustrated in Figure 7.
The PYC code is a simple downloader whose purpose is to retrieve a Python script and execute it in a new thread. This downloader randomly picks a URL from a list (although for the samples we analyzed only one URL was present) and builds a unique ID for the compromised machine by building a string composed of the following data:
- Machine local IP address
- MAC address
- Username (as returned by the %username% environment variable)
- Domain and username (results of the whoami command)
- Network computer name (as returned by Python’s platform.node function)
- Operating system information (as returned by Python’s platform.platform function)
- Architecture information (as returned by Python’s platform.architecture function)
Finally, it uses abs(zlib.crc32(<STRING>)) to generate the value that will serve as an ID. The ID is inserted in the middle of a string composed of random characters and is further obfuscated, then it is appended to the URL as shown in Figure 8.
It issues an HTTP GET request to travelasist[.]com to receive a new payload that is XOR-decrypted with a fixed, single-byte key, 0xC3, then base64-decoded; the result is decrypted using the AES algorithm in CFB mode with a 128-bit key and IV provided with the payload. Lastly it is decompressed using zlib and executed in a new thread.
Netboy (aka Invader) is a backdoor programmed in Delphi; it supports 34 commands that allow the attackers to capture the screen, perform mouse and keyboard events on the compromised machine, manipulate files and services, and obtain system and network information, among other capabilities.
Netboy communicates with its C&C server over TCP. The packet format used to exchange information between the backdoor and its C&C is described in Figure 9.
In order to fingerprint its packets, it generates two random numbers (first two fields in the header) that are XORed together (as shown in Figure 10) to form a third value that is used to validate the packet.
Packet validation is shown in Figure 11, when the backdoor receives a new command from its controller.
The packet header also contains the size of the encrypted compressed data, and the size of the uncompressed data plus the size (DWORD) of another field containing a random number (not used for validation) that is prepended to the data before it is compressed, as shown in Figure 12.
For compression, Netboy uses a variant of the LZRW family of compression algorithms and for encryption it uses the RC4 algorithm with a 256-bit key made up of ASCII characters.
Netboy supports 34 commands; however, in Table 1 we describe only 25 of the most prominent ones giving the attackers certain capabilities on the compromised systems.
Table 1. Most interesting Netboy backdoor commands
|0x05||Create new TCP socket and store received data from its controller to a new file.|
|0x06||Create new TCP socket and read file; send contents to the controller.|
|0x08||Gets local host name, memory information, system directory path, and configured operating hours range for the backdoor (for example, between 14-18).|
|0x0A||List network resources that are servers.|
|0x0B||List files in a given directory.|
|0x0E||Execute program with ShellExecute Windows API.|
|0x11||Enumerate modules in a process.|
|0x13||Execute program and get output.|
|0x16||Download a new file from the server and execute with ShellExecute Windows API.|
|0x1D||Create reverse shell.|
|0x1E||Terminate shell process.|
|0x1F||Get TCP and UDP connections information using the WinSNMP API.|
|0x24||Start service specified by the controller.|
|0x25||Stop service specified by the controller.|
|0x26||Create a new service. Details such as service name, description, and path are received from the controller.|
|0x27||Delete service specified by the controller.|
|0x28||Set TCP connection state.|
|0x29||Start screen capture and send to the controller every 10 milliseconds.|
|0x2A||Stop screen capture.|
|0x2B||Perform mouse and keyboard events requested by the controller.|
We attribute this attack to Tick with high confidence based on the malware found that has been previously attributed to Tick, and to the best of our knowledge has not been shared with other APT groups, and the code similarities between ShadowPy and the loader used by Netboy.
Additionally, domains used by the attackers to contact their C&C servers were previously attributed to Tick in past cases: waterglue[.]org in 2015, and softsrobot[.]com in 2020.
Possibly related activity
In May 2022, AhnLab researchers published a report about an unidentified threat actor targeting entities and individuals from South Korea with CHM files that deploy a legitimate executable and a malicious DLL for side-loading. The purpose of the DLL is to decompress, decrypt, drop, and execute a VBE script in the %TEMP% folder. The decoded script reveals a ReVBShell backdoor once again.
We believe that campaign is likely to be related to the attack described in this report, as the custom ReVBShell backdoor of both attacks is the same, and there are multiple code similarities between the malicious 64-bit installer (SHA-1: B9675D0EFBC4AE92E02B3BFC8CA04B01F8877DB6) and the quartz.dll sample (SHA-1: ECC352A7AB3F97B942A6BDC4877D9AFCE19DFE55) described by AhnLab.
ESET researchers uncovered a compromise of an East Asian data loss prevention company. During the intrusion, the attackers deployed at least three malware families, and compromised update servers and tools used by the compromised company. As a result, two customers of the company were subsequently compromised.
Our analysis of the malicious tools used during the attack revealed previously undocumented malware, which we named ShadowPy. Based on similarities in the malware found during the investigation, we have attributed the attack with high confidence to the Tick APT group, known for its cyberespionage operations targeting the APAC region.
We would like to thank Cha Minseok from AhnLab for sharing information and samples during our research.
|SHA-1||Filename||ESET detection name||Description|
|4300938A4FD4190A47EDD0D333E26C8FE2C7451E||N/A||Win64/TrojanDropper.Agent.FU||Trojanized Q‑dir installer, 64‑bit version. Drops the customized ReVBShell version A.|
|B9675D0EFBC4AE92E02B3BFC8CA04B01F8877DB6||N/A||Win64/TrojanDropper.Agent.FU||Trojanized Q‑dir installer, 64‑bit version. Drops the customized ReVBShell version B.|
|FE011D3BDF085B23E6723E8F84DD46BA63B2C700||N/A||VBS/Agent.DL||Customized ReVBShell backdoor version A.|
|02937E4A804F2944B065B843A31390FF958E2415||N/A||VBS/Agent.DL||Customized ReVBShell backdoor version B.|
ShadowPY C&C server
|110.10.16[.]56||SK Broadband Co Ltd||2020‑08‑19||mssql.waterglue[.]org|
Netboy C&C server
|103.127.124[.]117||MOACK.Co.LTD||2020‑10‑15||Server contacted by the malicious update executable to retrieve a key for decryption.|
ReVBShell backdoor version A server.
|103.127.124[.]76||MOACK.Co.LTD||2020‑06‑26||ReVBShell backdoor version B server.|
|58.230.118[.]78||SK Broadband Co Ltd||2022-01-25||oracle.eneygylakes[.]com|
|192.185.89[.]178||Network Solutions, LLC||2020-01-28||Server contacted by the malicious 32-bit installer to retrieve a payload.|
MITRE ATT&CK techniques
This table was built using version 12 of the MITRE ATT&CK framework.
|Initial Access||T1195.002||Supply Chain Compromise: Compromise Software Supply Chain||Tick compromised update servers to deliver malicious update packages via the software developed by the compromised company.|
|T1199||Trusted Relationship||Tick replaced legitimate applications used by technical support to compromise customers of the company.|
|Execution||T1059.005||Command and Scripting Interpreter: Visual Basic||Tick used a customized version of ReVBShell written in VBScript.|
|T1059.006||Command and Scripting Interpreter: Python||ShadowPy malware uses a downloader written in Python.|
|Persistence||T1547.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder||Netboy and ShadowPy loaders persist via a Run key.|
|T1543.003||Create or Modify System Process: Windows Service||Netboy and ShadowPy loaders persist by creating a service.|
|T1574.002||Hijack Execution Flow: DLL Side-Loading||Netboy and ShadowPy loaders use legitimate service and description names when creating services.|
|Defense Evasion||T1036.004||Masquerading: Masquerade Task or Service||Netboy and ShadowPy loaders use legitimate service and description names when creating services.|
|T1036.005||Masquerading: Match Legitimate Name or Location||Netboy and ShadowPy loaders use legitimate service and description names when creating services.|
|T1027||Obfuscated Files or Information||Netboy, ShadowPy, and their loader use encrypted: payloads, strings, configuration. Loaders contain garbage code.|
|T1027.001||Obfuscated Files or Information: Binary Padding||Netboy and ShadowPy loaders DLLs are padded to avoid security solutions from uploading samples.|
|T1055.002||Process Injection: Portable Executable Injection||Netboy and ShadowPy loaders inject a PE into a preconfigured system process.|
|T1055.003||Process Injection: Thread Execution Hijacking||Netboy and ShadowPy loaders hijack the main thread of the system process to transfer execution to the injected malware.|
|Discovery||T1135||Network Share Discovery||Netboy has network discovery capabilities.|
|T1120||Peripheral Device Discovery||Netboy enumerates all available drives.|
|T1057||Process Discovery||Netboy and ReVBShell have process enumeration capabilities.|
|T1082||System Information Discovery||Netboy and ReVBShell, gather system information.|
|T1033||System Owner/User Discovery||Netboy and ReVBShell, gather user information.|
|T1124||System Time Discovery||Netboy uses system time to contact its C&C only during a certain time range.|
|Lateral Movement||T1080||Taint Shared Content||Tick replaced legitimate applications used by technical support, which resulted also in malware execution within the compromised network on previously clean systems.|
|Collection||T1039||Data from Network Shared Drive||Netboy and ReVBShell have capabilities to collect files.|
|T1113||Screen Capture||Netboy has screenshot capabilities.|
|Command and Control||T1071.001||Application Layer Protocol: Web Protocols||ShadowPy and ReVBShell communicate via HTTP protocol with their C&C server.|
|T1132.001||Data Encoding: Standard Encoding||Tick’s customized ReVBShell uses base64 to encode communication with their C&C servers.|
|T1573||Encrypted Channel||Netboy uses RC4. ShadowPy uses AES.|
|Exfiltration||T1041||Exfiltration Over C2 Channel||Netboy and ReVBShell have exfiltration capabilities.|
|T1567.002||Exfiltration Over Web Service: Exfiltration to Cloud Storage||Tick deployed a custom tool to download and exfiltrate files via a web service.|