ESET researchers have uncovered a sophisticated cyberattack on an East Asian data-loss prevention (DLP) company by the notorious Tick APT group. The attack, which occurred in March 2021, saw the attackers deploy at least three malware families and compromise internal update servers and third-party tools used by the affected company. As a result, two customers of the company were subsequently compromised, with ESET attributing the campaign with high confidence to the Tick APT group.

Tick is a highly skilled APT group that has been active since at least 2006 and is known for its cyberespionage operations. The group mainly targets countries in the APAC region, with a focus on stealing classified information and intellectual property. The customer portfolio of the DLP company includes government and military entities, making the compromised company an especially attractive target for an APT group such as Tick.

During the intrusion, the attackers deployed a previously undocumented downloader, which ESET researchers have named ShadowPy, and also deployed the Netboy backdoor (aka Invader) as well as the Ghostdown downloader. ShadowPy was developed in Python and is loaded through a customized version of the open-source project py2exe. The malware contacts a remote server to receive new Python scripts that are decrypted and executed, allowing the attackers to gain persistent access to compromised machines.

The attackers compromised the DLP company’s internal update servers to deliver malware inside the software developer’s network, and trojanized installers of legitimate third-party tools used by the company. This eventually resulted in the execution of malware on the computers of its customers. The compromised company was notified of the attack by ESET, but in 2022, ESET telemetry registered the execution of malicious code in the networks of two of the compromised company’s customers.

ESET Research hypothesizes that the transfer of trojanized installers took place while the DLP company was providing technical support via remote support software. The attackers also compromised two internal update servers, which delivered malicious updates for the software developed by this DLP company on two occasions to machines inside the network of the DLP company.

Tick’s malware toolset is exclusive and designed for persistent access to compromised machines, reconnaissance, data exfiltration, and download of tools. The older Netboy backdoor supports 34 commands, including collecting system information, deleting a file, downloading and executing programs, performing screen capture, and performing mouse and keyboard events requested by its controller.

This latest attack highlights the need for increased vigilance in the face of growing cyber threats, especially for companies dealing with sensitive information. Companies must remain proactive in their security measures, employing the latest security technologies and best practices to protect their networks and prevent such attacks from succeeding.