## Tick Tock – Activities of the Tick Group in East Asia ###### Trends of Tick Group Targeting Organizations and Corporations in Korea and Japan CHA Minseok (Jacky Cha, 車珉錫) Senior Principal Malware Researcher AhnLab | ASEC | Analysis Research Team HITB GSEC COMMSEC 2019 (August 29, 2019) ----- #### Contents ###### 01 Tick Group 02 Stage 0 – Preparation for Attack 03 Stage 1 – Dropper, Downloader 04 Stage 2 – Backdoor, Stealer 05 Stage 3 – Internal Reconnaissance 06 Connections 07 Conclusion ----- ### 01 Tick Group ----- ----- ###### • Tick cyberespionage group (2016) ----- ###### • Tick == Bronze Butler == RedBaldKnight == Nian ----- ###### • Tick Group (Bald Knight, Bronze Butler, Nian, RedBaldKnight) -Since being named in 2016, their information has been disclosed by multiple security companies -Attacks on Korean and Japanese organizations and corporations since 2014 (related malware found in Korea since 2008) -Targets: Korean defense industry, national security and political organizations. Also corporations in the field of energy, electronics, security, web hosting, IT service, etc. -Attack Vectors : Spear Phishing, Watering Hole, malicious files in USB Flash Drive, Vulnerabilities in Asset Management Program, Etc. • Characteristics -Customized attacks for environments in Korea and Japan -Domain, used for C&C, is sometimes registered right before attack -Several Malware Generators exist - Multiple malware programs have been written in Delphi scripting language -Disrupts the decompiling of analysis tools (IDA Hex-Rays) by adding garbage code -Generates files larger than 50MB to bypass security programs -Often uses WinRAR Console program to leak internal information ----- |Date|Target|Details| |---|---|---| |• Mar. 201 4|Korea - Defense Industry|Attacked with Netboy variant; Multiple infections by the same variant reported in Korea| |Jan. 2015|Korea - Major Company A|Attacked with Bisodown variant| |Apr. 2015|Korea - ?|Modified the EXE file in the USB Memory| |May 201 5|Korea - Major Company B|Attacked with Netboy variant| |Feb. 2016|Korea - Marine Industry|Attacked with Daserf variant; Identical with Daserf malware found at the Korean telecommunications company in Jun. 2016| |Jun. 2016|Korea - Telecommunications Company|Attacked with Daserf variant| ###### Sep. 201 6 ###### Korea - Energy Attacked with Datper variant Industry ----- |Date|Target|Details| |---|---|---| |• Apr. 2017|Korea - ?|Attacked via a Korean secure USB reported by Palo Alto Unit 42 in 2018| |May 201 8|Korea - Supposedly National Defense|Attacked with a variant of Bisodown With national defense documents shown as bait, national defense officials are assumed to have been the targets| |May 201 8|Korea - Political Organization|Attacked with Bisodown| |Aug. 201 8|Korea - National Defense|Attacked with Bisodown variant; Variant found with Keylogger, named Linkinfo.dll, on the infected system| |Sep. 201 8|Korea - Political Organization|Attacked with Datper variant| |Jan. 2019|Korea - Information Security|Attacked with Datper variant reported by JPCERT in Feb. 2019| |Jan. 2019|Korea - Web Hosting|Identical with the malware found at a Korean information security compa ny in Jan. 2019| |Feb. 2019|Korea - Electronic Components|Attacked with Datper variant reported by JPCERT in Feb. 2019| ###### Feb. 2019 Korea - IT Service ###### Attacked with Datper variant; Identical to the malware that attacked a Korean electronic component ----- ----- ### 02 Stage 0 – Preparation for Attack ----- ###### • Nforce11-02 v1.0 - Malicious PDF created -CheCheCheChe2010 Prototype ----- ###### • NetBoy1.21 (2011) - Builder/Controller ----- ###### • Xxmm v1.0 (2014) - Filename:gh0st.exe ----- ###### • NetShadowv1.0 (2015) ----- ###### • xxmm2_steganography.exe (2015) ----- ###### • xxmm2_build (2015) ----- ###### • ShadowDawn(2016) - wali_build.exe, shadowDawn.exe ----- ###### • NetGhostv2.1 & v.2.41 (2017) ----- ### 03 Stage 1 – Dropper, Downloader ----- ###### • Dropper - Disguised as Original Program  Create Downloader ----- ###### • Bisodown(Cpycat, HomamDownloader) - Discovered between April 2014 –Feb. 2019 - Downloader  Used by Tonto Group ----- ###### • GhostDown -Discovered between Feb. 2013–Feb. 2018 -Encrypted strings, such as API address, C&C degree etc.(GenerallyXOR 0xDF) ----- ###### • Created Domain at Certain Websites - dnsever etc. ----- ###### • Gofarer ----- ###### • Gofarer ----- ### 04 Stage 2 – Backdoor, Stealer ----- ###### • Daserf (Muirim, Nioupale, Postbot) -First discovered in 2009 (in Apr. 2011 in Korea) -Mostly 30-40 KB (Some are 100 KB or more.) Versions exist in Delphi scripting language and C language -Main functions: View file lists, execute commands with cmd.exe, Upload/Download/Delete/Execute/Uninstall files -C&C information encrypted at the version information and the end of the file ----- ###### • Netboy (Domino, Invader, Kickesgo) -Actively discovered after 2010; Initial version of DLL format discovered from Korea in 2008 -Written in Delphi language -Encrypted major strings into XOR 0xC7 -Injected within the process, such as Explorer.exe -Conduct functions including keylogging, screen capture, process list, and program execution -Code change (2012)  Disrupted analysis by adding garbage values (2013) ###### -Conduct functions including keylogging, screen capture, process list, and program execution Disrupted analysis by adding garbage values (2013) ----- ###### • Ninezero (9002) -Discovered between 2012-2013 -Dropper 70 KB  Backdoor DLL 33 KB -Distinctive export function exists in the DLL file -Netboy also found in some systems ----- ###### • Xxmm (KVNDM, Minzen, Murim, ShadowWali, Wali, Wrim) -First discovered in 2015, Actively used from 2016 (Initial version includes xxmm string) -Initial version include a distinctive PDB ‘C:\Users\123\Desktop\shadowDoor\Release\loadSetup.pdb’ -> Excluded after Dec. 2015 -Consists of a Dropper, Loader, and Backdoor -Created files larger than 50 MB -Encrypted communications via one-time AES and RC4 key, active only at specific times ----- ###### • Xxmm ###### 2. Drop ----- ###### • Datper -Discovered between 2015 –March 2019 -Written in Delphi scripting language -Active in Korea and Japan -Garbage values embedded in the middle of the code -Keylogger, Mimikatz found in the infected systems ----- ###### • Keylogger A (2011) -Discovered between April –May 2011 -File name: keyll.exe -User input key content saved in c:\windows\log.txt -Daserffound in the infected system ----- ###### • Keylogger B (2017~2018) -Discovered between 2017–2018 -File name: apphelp.dll, k6.dll, linkinfo.dll etc(40-50 KB) -Bisodown, Datper found in infected system ----- ###### • Keylogger C (2017~2018) -Discovered between Apr. 2017 –Feb. 2018  Mainly found in the Tickusb-infected systems -File name: linkinfo.dll, netutils.dll -Key input contents saved at Log file ----- ###### • Tickusb (SymonLoader) -Found to be active from spring 2014 to Nov. 2017 (possibly even before Sep. 2012) -First analysis disclosed by Unit42 in Jun. 2018 -Saved information leaked and data modified when USB Flash Drive was connected -Some variants found in the Korean Secure USB Flash Drive  Execute by reading data from specific area  Execution code unchecked -Modified EXE file and patched ALYAC25.EXE file within some modified USB Flash Drive • Composition of Tickusb -Consists of EXE file including the essential code for DLL, which acts as the Loader -Main function of DLL (Loader): Executes Tickusb EXE when USB Flash Drive is connected, Downloads additional files -Main functions of EXE file: Collects information within the USB Flash Drive, Infects EXE file, and Patches ALYAC25.EXE -Modified EXE within a USB Flash Drive: Executes by creating Downloader or Tickusb variants ----- ###### • Attacked using Korean Secure USB Flash Drive -Performs malware infection via variant-installing programs -Presumed to be an attempt to attack net isolation systems by using Korean Secure USB Drive ----- ###### • Flowchart of Tickusb ----- ### 05 Stage 3 – Internal Reconnaissance ----- ###### • Anti 1.03 ----- ###### • Hijack v2.0 -Disguised as Hancomfile(C:\HNC\Hwp70\hwp70.exe) -Arpspooffunction ----- ###### • WCE (Windows Credentials Editor) - File signed with HeruidaElectronic credential found (2016) ----- ###### • Mimikatz -mi.exe, mi2.exe, m3.exe, m32.exe ----- ###### • NetTool(1,051,648 ~ 4,168,192 bytes) -Initially discovered in early September, 2018 -Major file names: comhost.exe, conh0st.exe, dllh0st.exe, dt.tmp, spoolsv.exe, taskh0st.exe, w3wp.exe -0.10 alpha : 32 bit, 1.34 : 64 bit ----- ### 06 Connections ----- Gofarer Ghostdown Bisodown Signed by Heruida Electronic Technology Daserf Netboy Ninezero wce.exe mimikatz (mi.exe, m3.exe) Similar Builders Ghostdown softi.co.kr same Encoding Daserf Netboy Daserf Xxmm Ghostdown Bisonal Tick Datper Emdivi i "Bl t it " ----- ###### • Correlations with C2 -amamihanahana.com : Xxmm, Datper -211.13.196.164 : Datper, Emdivi(campaign Blue termite) ----- ### 07 Conclusion ----- ###### • the Tick Group is a threat actor that has been active in Korea and Japan for the past 10 years ! •Question 1. Are they the same group? - Existence of Malware Builder - Same code reused • Question 2. Connection to Tonto Team - Some malware are simultaneously used - Some infrastructures, such as C&C, are shared - What is the connection between these Groups? - Collaboration? Same Group? Coincidence? • Necessity of Collaboration -Collaboration required between the researchers of Korea and Japan, who are experiencing similar active attacks ----- # Thank you! ##### CHA Minseok (Jacky) ###### minseok.cha@ahnlab.com mstoned7@gmail.com @mstoned7 ----- -----