By Joey Chen, Hiroyuki Kakara and Masaoki Shoji
While we have been following cyberespionage group TICK (a.k.a. “BRONZE BUTLER” or “REDBALDKNIGHT”) since 2008, we noticed an unusual increase in malware development and deployments towards November 2018. We already know that the group uses previously deployed malware and modified tools for obfuscation, but we also found TICK developing new malware families capable of detection evasion for initial intrusion, as well as escalation of administrative privileges for subsequent attacks and data collection. We also found the group using legitimate email accounts and credentials for the delivery of the malware, zeroing in on industries with highly classified information: defense, aerospace, chemical, and satellite industries with head offices in Japan and subsidiaries in China. Given their targets, we have named this campaign “Operation ENDTRADE,” and identified some of the findings in our research “Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data”.
This research paper was submitted and presented for the DeepINTEL Security Intelligence 2019 Conference on November 27, 2019 in Vienna, Austria.
Targeting and malware delivery
Figure 1. Operation ENDTRADE’s timeline
As part of their attacks in January 2019, TICK was conducting their research by compromising a Japanese economic research company and a public relations (PR) agency to steal email credentials and files as decoy documents. These email addresses were used for spear phishing, prompting potential victim organizations to open the attachments with malware payloads. Meanwhile, the documents were embedded with malware, and sent to individuals and companies knowledgeable in Japanese or Chinese, and interested in the Chinese economy. The emails had the following features:
They were sent from ..
Support the originator by clicking the read the rest link below.
