ESET researchers have uncovered a targeted hacking campaign that was carried out against an East Asian data loss prevention (DLP) software company. According to researchers, the Advanced Persistent Threat (APT) group Tick was behind the attack believed to have been designed for cyber-espionage purposes. The company in question is known for its high-profile clients that include government and military entities, which may have made it an attractive target for hackers.

The attackers had reportedly compromised the update servers and tools of the DLP company to deliver malware within the company’s network. As a result, several of its customers were also affected. The hackers had Trojanized installers of legitimate tools that were used by the company, which eventually led to the execution of malware on the computers of the company’s customers. The attackers also deployed a previously undocumented downloader, ShadowPy, during the intrusion. Along with ShadowPy, the hackers had also deployed the Netboy backdoor (also known as Invader) and Ghostdown downloader.

Although the target of the attack is known, it is not clear how the data loss prevention company was initially compromised in March 2021. However, ESET researchers have attributed the attack with high confidence to the APT group Tick following the deployment of persistent malware and the repeated use of a previously undocumented downloader.

ESET claims that among the malware deployed, the attackers had sent malicious updates twice through the compromised update servers to machines inside the DLP company’s network. The malicious updates were delivered in the form of a ZIP archive that contained a malicious executable file. It was deployed and executed by a legitimate update agent from the software developed by the compromised company. The same technique was used to Trojanize installers of Q-Dir – a legitimate software application developed by SoftwareOK used by employees of the compromised company.

According to ESET telemetry, in April 2021, the attackers began to introduce 32- and 64-bit trojanized installers of the Q-Dir application into the compromised company’s network. In February and June 2022, the infected installers were transferred via remote support tools to customers of the DLP company. The computers receiving the support had software from the compromised company installed on them, and the trojanized Q-Dir installer was received minutes after the support software was installed by the users. The researchers believe that the customers of the DLP company unknowingly received the Trojanized software as the result of technical support from the compromised company via remote support applications such as ANYSUPPORT and helpU.

To ensure security, ESET recommends companies take preventive measures, such as requiring strong passwords, implementing virtual private networks (VPNs), and making sure to patch all software vulnerabilities in a timely manner. They also suggest placing priority on protecting updates and paying close attention to suspicious activity, such as unusual logins and unexplained network spikes.

APT groups are known for their sophisticated cyber-attack strategies, constantly looking for ways to gain access to systems with the goal of stealing valuable information. The recent Tick campaign is just a reminder of the need for organizations to remain vigilant and take all necessary measures to protect their data and prevent cyberattacks.

Извор линк