Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

“Tick” Cyber Espionage Group Employs Steganography

The cyber espionage group known as “Tick” is using steganography to conceal their backdoor Trojan better, according to analysis from security firm Trend Micro.

The cyber espionage group known as “Tick” is using steganography to conceal their backdoor Trojan better, according to analysis from security firm Trend Micro.

Also referred to as Bronze Butler and REDBALDKNIGHT and believed to be based in China, the group is mainly targeting Japanese organizations, including biotechnology, electronics manufacturing, and industrial chemistry entities and government agencies. Although the first report on the group was published only last year, the hackers might have been active for at least a decade, Trend Micro’s researchers say.

Malicious tools preferred by the threat actors include a downloader tracked as Gofarer and a data-stealing Trojan dubbed Daserf, which can execute shell commands and download and upload data. Now, Trend Micro says that variants of Daserf were used against entities outside Japan as well, including organizations in South Korea, Russia, Singapore, and China.

Furthermore, the security researchers say that various versions of Daserf employ different techniques and use steganography, which allows them to conceal themselves better by embedding codes in unexpected mediums or locations, such as images.

The hackers typically use spear phishing emails with attached malicious documents created using the Japanese word processor Ichitaro. These documents install and execute the Daserf backdoor on the victim’s machine.

Tick is believed to be regularly improving the Daserf Trojan to keep it under the radar. 

Some malware variations also revealed that the group integrated steganography to conduct second-stage attacks and for command-and-control (C&C) communication. Through the use of steganography, the backdoor can not only bypass firewalls, but also change second-stage C&C communication or malware faster and more conveniently, Trend Micro says.

Daserf’s infection chain involves a downloader that retrieves the backdoor from a compromised site. After installation, the Trojan connects to another compromised site and downloads an image file, then connects to its C&C and awaits further commands.

The Tick hackers, Trend Micro notes, have been using steganography on other toolkits as well, namely xxmm2_builder and xxmm2_steganography. These are components of the XXMM downloader Trojan that can also be used as a first-stage backdoor. The researchers found that the same steganography algorithm was used on both XXMM and Daserf.

“Steganography is a particularly useful technique in purposeful cyberattacks: the longer their malicious activities stay undetected, the more they can steal and exfiltrate data. And indeed, the routine is increasingly gaining cybercriminal traction, in varying degrees of proficiency—from exploit kits, malvertising campaigns, banking Trojans, and C&C communication to even ransomware. In the case of REDBALDKNIGHT’s campaigns, the use of steganography is further compounded by their use of malware that can better evade detection and analysis,” Trend Micro concludes.

Related: ‘Tick’ Cyber Espionage Group Linked to China

Related: Targeted Malware Inflated With Junk Data to Avoid Detection

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.