The cyber espionage group known as Bronze Butler and Tick continues to target Japan using custom-built malware. Evidence found by researchers suggests that the actor is based in China.
The first report on Tick was published in April 2016 by Symantec. However, the security firm pointed out at the time that the threat group had likely been active for at least a decade prior to its activities being discovered.
Tick has been known to use a downloader tracked as Gofarer and a data-stealing Trojan dubbed Daserf. A report published by Palo Alto Networks earlier this year linked the custom-built Daserf malware – based on command and control (C&C) servers – to a threat known as Minzen, XXMM, Wali and ShadowWali.
The first Tick attacks detailed by Symantec focused on technology, aquatic engineering, and broadcasting firms in Japan. Palo Alto Networks reported seeing campaigns aimed at defense and high-tech organizations in Japan and South Korea.
A new report published last week by SecureWorks links Tick to China based on several pieces of evidence. For example, the group uses T-SMB Scan tools created by a Chinese developer, an early version of the Minzen backdoor used Chinese characters in a service name, and there are links between Daserf and the NCPH group, which has been tied to the Chinese military.
Experts also pointed out that Tick activity has typically decreased during Chinese national holidays, and targeting intellectual property and economic intelligence from competing countries is something China has been known to do.
The attacks observed by the security firm were aimed at Japanese organizations in the critical infrastructure, manufacturing, heavy industry and international relations sectors. The hackers have mainly targeted intellectual property related to technology and development, business and sales information, emails and meeting schedules, product specifications, and network and system configuration files.
The report from SecureWorks also provides some information on Datper, a piece of malware used in 2016 and 2017, which experts believe was meant to replace Daserf. XXMM has been used by the threat actor in roughly the same period.
The Tick group has continued to use spear-phishing and watering hole attacks to breach the systems of its targets. However, SecureWorks has also seen attacks involving a zero-day vulnerability affecting a popular Japanese corporate tool.
The zero-day has been used to breach the systems of numerous Japanese organizations, but the hackers only proceeded with further activities in the case of companies that presented an interest. In some cases, the attackers managed to remain undetected within compromised networks for as much as five years.
Once it no longer needs any information from a target, Tick attempts to remove all evidence of its activities on the compromised networks.