“Tick” Cyber Espionage Group Employs Steganography

The cyber espionage group known as “Tick” is using steganography to conceal their backdoor Trojan better, according to analysis from security firm Trend Micro.

Also referred to as Bronze Butler and REDBALDKNIGHT and believed to be based in China, the group is mainly targeting Japanese organizations, including biotechnology, electronics manufacturing, and industrial chemistry entities and government agencies. Although the first report on the group was published only last year, the hackers might have been active for at least a decade, Trend Micro’s researchers say.

Malicious tools preferred by the threat actors include a downloader tracked as Gofarer and a data-stealing Trojan dubbed Daserf, which can execute shell commands and download and upload data. Now, Trend Micro says that variants of Daserf were used against entities outside Japan as well, including organizations in South Korea, Russia, Singapore, and China.

Furthermore, the security researchers say that various versions of Daserf employ different techniques and use steganography, which allows them to conceal themselves better by embedding codes in unexpected mediums or locations, such as images.

The hackers typically use spear phishing emails with attached malicious documents created using the Japanese word processor Ichitaro. These documents install and execute the Daserf backdoor on the victim’s machine.

Tick is believed to be regularly improving the Daserf Trojan to keep it under the radar. 

Some malware variations also revealed that the group integrated steganography to conduct second-stage attacks and for command-and-control (C&C) communication. Through the use of steganography, the backdoor can not only bypass firewalls, but also change second-stage C&C communication or malware faster and more conveniently, Trend Micro says.

Daserf’s infection chain involves a downloader that retrieves the backdoor from a compromised site. After installation, the Trojan connects to another compromised site and downloads an image file, then connects to its C&C and awaits further commands.

The Tick hackers, Trend Micro notes, have been using steganography on other toolkits as well, namely xxmm2_builder and xxmm2_steganography. These are components of the XXMM downloader Trojan that can also be used as a first-stage backdoor. The researchers found that the same steganography algorithm was used on both XXMM and Daserf.

“Steganography is a particularly useful technique in purposeful cyberattacks: the longer their malicious activities stay undetected, the more they can steal and exfiltrate data. And indeed, the routine is increasingly gaining cybercriminal traction, in varying degrees of proficiency—from exploit kits, malvertising campaigns, banking Trojans, and C&C communication to even ransomware. In the case of REDBALDKNIGHT’s campaigns, the use of steganography is further compounded by their use of malware that can better evade detection and analysis,” Trend Micro concludes.

Related: ‘Tick’ Cyber Espionage Group Linked to China

Related: Targeted Malware Inflated With Junk Data to Avoid Detection