Palo Alto Networks experts uncovered a new operation conducted by the cyber espionage group known as Tick APT that has been targeting a secure USB drive built by a South Korean defense company.
The Tick APT group has been active for at least a decade, tracked also as Bronze Butler, it was first spotted in 2016 by Symantec and experts believe it is a China-linked threat actor. Experts highlighted the ability of the group in discovering a zero-day flaw in a software used in a certain region, such as Japan and South Korea,
The group has been targeting a secure USB drive built by a South Korean defense company, likely with the intent of compromising air-gaped systems.
The expert reported that the Tick APT group is mainly targeting Japan and South Korea, but the threat actor also targeted organizations in Russia, Singapore, and China.
The group has been observed using a variety of proprietary tools and custom malware, including Minzen, Daserf (aka Nioupale), Datper, and HomamDownloader.
“Recently, Palo Alto Networks Unit 42 discovered the Tick group targeted a specific type of secure USB drive created by a South Korean defense company.” reads the analysis published by PaloAlto Networks.
“The weaponization of a secure USB drive is an uncommon attack technique and likely done in an effort to spread to air-gapped systems, which are systems that do not connect to the public internet.”
The malicious code used in the recent attacks conducted by the Tick APT were specifically developed to target systems running Windows XP or Windows Server 2003.
According to the experts, the malware was developed with the intent of infecting older, out-of-support versions of Microsoft Windows running on Air-gapped systems that often used in government and defense environments.
The experts added that they haven’t found public reports of the attack until now, likely because the threat actor used it many years ago.
“We have not identified any public reporting on this attack, and we suspect the Tick group used the malware described in this report in attacks multiple years ago. Based on the data collected, we do not believe this malware is part of anyactive threat campaign.” continues the report.
The experts believe the hackers managed to compromise the secure USB drive model to install the malware on a number of infected devices, that are supposed to be certified as secure by the South Korean ITSCC.
PaloAlto Networks reported that the APT group also developed a strain of malware dubbed SymonLoader that once installed on older Windows systems machines looks for specific USB drives.
The SymonLoader was used by attackers to load and execute the malware from the secure USB drive. At the time it is not clear how the attackers have compromised the USB drives.
“Because we do not have either a compromised USB drive or the unknown malicious file, we are also unable to determine how these USB drives have been compromised.” continues Palo Alto.
“Specifically, we do not know if there has been a successful compromise in the supply-chain making these devices, or if these have been compromised post-manufacturing and distributed using other means such as social engineering.”
During the investigation, experts at Palo Alto Networks discovered an interesting sample of the malware on January 21, 2018, it is a Trojanized version of a Japanese language GO game and drops malware.
Experts associated this sample with the Tick group because the shellcode in the Trojanized Japanese game is exactly the same as that found in the Trojanized Korean programs.
“The attacker encrypted the unknown executable file and concealed it at the ending part of the secure USB storage in advance. The hidden data is not accessible through logical file operation APIs, such as ReadFile(). Instead, SymonLoader uses Logical Block Addressing (LBA) and SCSI commands to read the data physically from the particular expected location on the removable drive,” the researchers explain.
Further details, including the IoCs are reported in the analysis published by the experts.