The Tick hacking group known for infecting Japanese and South Korean targets with its malicious backdoor “Daserf” has been linked to other campaigns leveraging an eclectic assortment of malware, including two additional backdoors, two remote access trojans and a downloader.
According to a Monday blog post from Palo Alto Networks’ Unit 42 threat research team, Tick’s Daserf malware (aka Muirim, Nioupalewas) has been observed sharing infrastructure with the backdoors Invader and Minzen, the trojans Gh0st RAT and 9002 RAT, and the downloader HomamDownloader.
Moreover, at least some of these malware weapons were used to attack a high-profile target based in Japan over the last three years, Palo Alto senior threat communications manager Christopher Budd confirmed with SC Media via email.
One of the most recent findings linking Daserf to another malware took place in July 2016, when Unit 42 identified a compromised Japanese website whose web server was hosting both a Daserf variant and the modular malware Minzen, aka XXMM, Wali, or ShadowWali. (The company operating this website is different from the aforementioned Japanese organization that Tick has targeted for three years.) “The attackers’ playbook is to compromise external websites and use them as part of their attacks against organizations,” said Budd to SC Media.
Minzen typically leverages compromised web servers in Japan and the South Korea, Palo Alto reported, and some of its samples are known to install a backdoor module called NamelessHdoor, which opens a TCP port in order to receive commands from a remote attacker.
Additional research turned up older links between malware families as well. For instance, Palo Alto determined that Daserf shared command-and-control infrastructure with both 9002 RAT (used in targeted attacks) and Invader (which logs keystrokes and mouse movement, and captures screenshots) between July 2012 and April 2013.
Daserf shared not just infrastructure, but also cipher code with a custom variant of Gh0st RAT spyware that Unit 42 researchers observed. The shared code consisted of substitution ciphers used for hiding strings.
Finally, Palo Alto reported that Daserf has also shared malicious servers HomamDownloader, a malware that theTick group has spread via spear phishing campaigns. For instance, an early 2014 campaign featured spear phishing emails featuring a Happy New Year message on January 1, while asking the recipient to rename the attached file’s extension before opening it with a specific password.
“Tick was spotted last year, but they are actively and silently attacking various organizations in South Korea and Japan for a number of years,” warned Unit 42 cyber threat intelligence analyst Kaoru Hayashi, who authored the blog post. Despite this additional intelligence on the threat group, Hayashi added that “it is likely there is much that still remains uncovered.”