Threat Management, Threat Management, Threat Intelligence, Malware

Tick threat group linked to multiple malware families

The Tick hacking group known for infecting Japanese and South Korean targets with its malicious backdoor "Daserf" has been linked to other campaigns leveraging an eclectic assortment of malware, including two additional backdoors, two remote access trojans and a downloader. According to a Monday blog post from Palo Alto Networks' Unit 42 threat research team, Tick's Daserf malware (aka Muirim, Nioupalewas) has been observed sharing infrastructure with the backdoors Invader and Minzen, the trojans Gh0st RAT and 9002 RAT, and the downloader HomamDownloader. Moreover, at least some of these malware weapons were used to attack a high-profile target based in Japan over the last three years, Palo Alto senior threat communications manager Christopher Budd confirmed with SC Media via email. One of the most recent findings linking Daserf to another malware took place in July 2016, when Unit 42 identified a compromised Japanese website whose web server was hosting both a Daserf variant and the modular malware Minzen, aka XXMM, Wali, or ShadowWali. (The company operating this website is different from the aforementioned Japanese organization that Tick has targeted for three years.) "The attackers' playbook is to compromise external websites and use them as part of their attacks against organizations," said Budd to SC Media. Minzen typically leverages compromised web servers in Japan and the South Korea, Palo Alto reported, and some of its samples are known to install a backdoor module called NamelessHdoor, which opens a TCP port in order to receive commands from a remote attacker. Additional research turned up older links between malware families as well. For instance, Palo Alto determined that Daserf  shared command-and-control infrastructure with both 9002 RAT (used in targeted attacks) and Invader (which logs keystrokes and mouse movement, and captures screenshots) between July 2012 and April 2013. Daserf shared not just infrastructure, but also cipher code with a custom variant of Gh0st RAT spyware that Unit 42 researchers observed. The shared code consisted of substitution ciphers used for hiding strings. Finally, Palo Alto reported that Daserf has also shared malicious servers HomamDownloader, a malware that theTick group has spread via spear phishing campaigns. For instance, an early 2014 campaign featured spear phishing emails featuring a Happy New Year message on January 1, while asking the recipient to rename the attached file's extension before opening it with a specific password. "Tick was spotted last year, but they are actively and silently attacking various organizations in South Korea and Japan for a number of years," warned Unit 42 cyber threat intelligence analyst Kaoru Hayashi, who authored the blog post. Despite this additional intelligence on the threat group, Hayashi added that "it is likely there is much that still remains uncovered."
Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.