## MENU **[Get Support | English [change]](https://live.paloaltonetworks.com/t5/custom/page/page-id/Support)** **[Blog Home > Unit 42 > “Tick” Group Continues Attacks](https://researchcenter.paloaltonetworks.com/)** # “Tick” Group Continues Attacks **[By Kaoru Hayashi](https://researchcenter.paloaltonetworks.com/author/kaoru-hayashi/)** **July 24, 2017 at 6:00 PM** **[Category: Unit 42](https://researchcenter.paloaltonetworks.com/unit42/)** **[Tags: 9002, Daserf, Datper, Gh0st, HomamDownloader, JAPAN KOREA, Minzen,](https://researchcenter.paloaltonetworks.com/tag/9002/)** **[NamelessHdoor, Tick](https://researchcenter.paloaltonetworks.com/tag/namelesshdoor/)** **467** **(0)** **The “Tick” group has conducted cyber espionage attacks against organizations in the** **Republic of Korea and Japan for several years. The group focuses on companies that have** **intellectual property or sensitive information like those in the Defense and High-Tech** **industries. The group is known to use custom malware called Daserf, but also employs** **multiple commodity and custom tools, exploit vulnerabilities, and use social engineering** **techniques.** **Regarding the command and control (C2) infrastructure, Tick previously used domains** **registered through privacy protection services to keep their anonymity, but have moved to** **compromised websites in recent attacks. With multiple tools and anonymous infrastructure,** **they are running longstanding and persistent attack campaigns. We have observed that the** **adversary has repeatedly attacked a high-profile target in Japan using multiple malware�** **families for the last three years.** ### Tick Tools **[Symantec was first to publicly report on Tick, followed by �LAC in 2016. These reports](https://www.symantec.com/connect/blogs/adobe-zero-day-used-ladyboyle-attack)** **discussed the group’s malware, Daserf (a.k.a Muirim or Nioupale) and some additional** **downloader programs. Though Daserf wasn’t a popular attack tool at the time of publishing** **[the two reports, it dates back to at least 2011. Using AutoFocus, we were able to identify the](https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/autofocus)** **link among Daserf and two other threats, 9002 and Invader. These threats shared** **infrastructure between July 2012 and April 2013.** **_Figure 1 Sharing C2 servers among threats_** **Invader (a.k.a Kickesgo) is a backdoor that injects its main code into a legitimate process,** ----- **Captures screenshots** **Opens cmd.exe shell** **Enumerates processes** **Executes programs** **Removes itself** **Enumerates all opening TCP and UDP ports** **9002 is the infamous RAT frequently seen in targeted attacks reported by various security** **[vendors, including Palo Alto Networks. Interestingly, the C2 servers linking 9002 to Daserf](https://researchcenter.paloaltonetworks.com/tag/9002/)** **[were described in the report of an Adobe Flash Zero-day attack from FireEye in 2013. These](https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html)** **domains were registered through the privacy protection services in 2008 and 2011.** **krjregh.sacreeflame[.]com�** **lywja.healthsvsolu[.]com** **Though we don’t know the targets of these malware samples at the time of writing this article,** **we suspect the same group is behind these threats for a number of reasons. The samples of** **Daserf that shared infrastructure were submitted to VirusTotal only from Japan multiple times** **in 2013. As noted in a later section, another Invader sample shared different C2 servers with�** **Daserf. Symantec reported that Tick exploited additional Adobe Flash and Microsoft Office�** **[vulnerabilities. SecureWorks said the adversary group is abusing a previously undisclosed](https://www.secureworks.jp/resources/rp-bronze-butler)** **vulnerability in Japanese Software Asset Management system on endpoints. Therefore, Tick** **or their digital quartermaster is capable of deploying new and unique exploits.** ### Minzen and Nameless Backdoor **In July 2016, we identified a compromised website in Japan that was hosting a Daserf variant.�** **The web server was also a C2 server for another threat, Minzen (a.k.a, XXMM, Wali, or** **ShadowWali). The threat often uses compromised web servers in Japan and the Republic of** **Korea.** **[As Kaspersky and Cybereason recently posted, Minzen is a modular malware that has both](https://securelist.com/blog/research/78010/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/)** **32-bit and 64-bit components in its resource section or configuration data in its body. One of�** **the Minzen samples (SHA256:** **9374040a9e2f47f7037edaac19f21ff1ef6a999ff98c306504f89a37196074a2) found in the�** **Republic of Korea in December 2016 installs simple backdoor module as a final payload on a�** **compromised computer. It opens a TCP port and receives commands from a remote attacker.** **According to the debug path in the body, the author of the tool called it “NamelessHdoor,”** **and its internal version is identified as “V1.5.”�** **_Figure 2 Debug path left in the backdoor module in Minzen_** **The payload is based on “Nameless Backdoor” which has been publicly available for more** **than ten years. The oldest code we could identify was hosted on a famous Chinese source** **code sharing site since 2005. The author of the NamelessHdoor appears to have created** **additional versions of the Nameless Backdoor by removing unnecessary functions, and** **[added open-source DLL injection code from ReflectiveDLLLoader�.](https://github.com/stephenfewer/ReflectiveDLLInjection)** ----- **_Figure 3 Nameless Backdoor posted on Chinese Source File Sharing Site_** **There is minimal public information regarding the Nameless Backdoor, except for the** **[interesting report from Cyphort in 2015. The researcher of the company analyzed multiple](https://www.cyphort.com/multiple-malwares-used-to-target-an-asian-financial-institution/)** **threats, including Invader, Nioupale(Daserf) and Hdoor found in an attack against an Asian** **financial institution. We examined the sample described in the report as Hdoor and found it’s�** **a previous version of the NamelessHdoor we discovered in the Minzen sample, but without** **support for DLL injection.** **_Figure 4 Strings in NamelessHdoor sample found in 2015_** ### Shared Infrastructure and Cipher Code with Custom Gh0st **Other interesting samples in the report are dllhost.exe and Shell64.dll. We don’t have the** **same files but found possible variants close to their description in the article. These include�** **the following:** **Executable files that connect to the same remote server, blog.softfix.co[.]kr:80,�** **download a DLL file and execute the ‘lowmain’ export function.�** **DLL files have ‘lowmain’ and ‘main’ exports.�** **It turned out that the DLL files we found are a custom variant of Gh0st RAT, and the EXE files�** ----- **The domain, softfix.co[.]kr was registered in 2014. One of subdomains, news.softfix.co[.]kr�** **was the C2 server of Daserf (SHA256:** **9c7a34390e92d4551c26a3feb5b181757b3309995acd1f92e0f63f888aa89423). Another** **subdomain, bbs.softfix.co[.]kr was hosted on same IP address as bbs.gokickes[.]com, which�** **was reported as the C2 server of Invader by Cyphort. We also identified www.gokickes[.]com�** **was the C2 of another Invader variant (SHA256:** **57e1d3122e6dc88d9eb2989f081de88a0e6864e767281d509ff58834928895fb).�** **In addition to the infrastructure, the attacker also shared code. The Gh0st downloaders** **employ simple substitution ciphers for hiding strings.** **_Figure 5 Decryption code in Gh0st Downloader_** **The cipher converts one character to another based on a substitution table, which can be** **seen below. As an example, the character ‘K’ in plain text is changed to ‘5’ in cipher text, ‘h’** **is converted to ‘j’ and so on. The string ‘connect’ was encoded to ‘zF((0za’ using this table.** **Text** **characters** **plain text** **KhL9V1ds5Z”QnfNC&Fb8xGr-()<>[]{}|+THce;0%7Oiz#W DE6qS?** **aw./BJlk,yUPjgI ^@$*tumYA'p2RoX=v_:M43** **cipher text** **5j2Cnx^@$*(){}|+mX k3DK’LGchHNPgZ,z0T8_sRU7)<>”[lBpdfI#%bu;yt-** **YeoW?4vAMQVa.6qJi:=wFO9&/1ESr** **_Table 1 Substitution Table used in Gh0st Downloader_** **The following Python script can decipher the encoded string.** |Text|characters| |---|---| |plain text|KhL9V1ds5Z”QnfNC&Fb8xGr-()<>[]{}|+THce;0%7Oiz#W DE6qS? aw./BJlk,yUPjgI ^@$*tumYA'p2RoX=v_:M43| |cipher text|5j2Cnx^@$*(){}|+mX k3DK’LGchHNPgZ,z0T8_sRU7)<>”[lBpdfI#%bu;yt- YeoW?4vAMQVa.6qJi:=wFO9&/1ESr| **1** **2** **3** **4** **5** **6** **7** **8** **9** **10** **plaintext = "KhL9V1ds5Z\"QnfNC&Fb8xGr-()<>[]{}|+THce;0%7Oiz#W DE6qS?aw./BJlk,yU** **ciphertext = "5j2Cnx\`^@$*(]{}|+mX k3DK'LGchHNPgZ,z0T8_sRU7)<>\"[lBpdfI#%bu;yt-YeoW** **enc_string = "zF((0za"** **dec_strings = ''** **for** **c** **in** **enc_string:** **dec_strings += plaintext[ciphertext.find(c)]** **print dec_strings** **The exact same table for simple substitution cipher is used in a variant of Daserf (SHA256:** **01d681c51ad0c7c3d4b320973c61c28a353624ac665fd390553b364d17911f46). We also** ----- **code, we believe the incident reported by Cyphort have ties to Tick. The following tables were** **identified for their associated malware samples:�** **Minzen** **(SHA256:26727d139b593486237b975e7bdf93a8148c52d5fb48d5fe540a634a16a6ba82):** **1** **2** **plain text = "5j2Cnx`^@$*(]{}|+mX k3DK'LGc!hHNPgZ,z0T8_sRU7)<>"[lBpdfI#%bu;yt-YeoW?** **cipher text = "KhL9V1ds5Z"QnfNC&Fb8xGr-()<>[]{}|+THce;0%7O!iz#W DE6qS?aw./BJlk,yU** **Datper (SHA256:** **7d70d659c421b50604ce3e0a1bf423ab7e54b9df361360933bac3bb852a31849):** **1** **2** **plain text = "KhL9V1ds5Z"QnfNC&Fb8xGr-()<>[]{}|+THce;0%7O!iz#W DE6qS?aw./BJlk,yU** **cipher text = "5j2Cnx`^@$*(]{}|+mX k3DK'LGc!hHNPgZ,z0T8_sRU7)<>"[lBpdfI#%bu;yt-YeoW?** ### Spearphishing Email with Patched File Encryption Program **We also identified another malware family, HomamDownloader, sharing some servers with�** **Daserf. An overview of the connections among these threats is discussed in below.** **_Figure 6 Links among threats and servers_** **HomamDownloader is a small downloader program with minimal interesting characteristics** **from a technical point of view. HomamDownloader was discovered to be delivered by Tick via** **a spearphishing email. The adversary crafted credible email and attachment after** **understanding the targets and their behavior.** **The email below was sent from a personal email account with a subject line of “New Year** ----- **extension from ._X_ to .exe and opening it with the password specified in the email to�** **view the Happy New Year eCard in the correct and polite language.** **_Figure 7 Spearphishing Email with HomamDownloader_** **The image above is translated to the following in English:** **_Dear XXXX,_** **_Heartfelt Greetings for the New Year._** **_Thank you very much for your support over the past year._** **_I will greatly appreciate your further guidance and encouragement._** **_Would you please change the file extension of the attachment from “._X_” to “.exe” and open�_** **_it?_** **_Password is “nengajyo”._** **For those who are not familiar with Japanese companies, the email must look suspicious,** **especially given that the executable file attachment has the incorrect file extension. However,�** **this may look legitimate in some cases. Many Japanese companies introduced a file�** **encryption system for secure data exchange over email. The system encrypts documents** **with a user-specified password and often creates a self-extracting (SFX) file for ease of�** ----- **the attachment by an email gateway or security product. The adversary may know Japanese** **enterprise users exchange these emails in such a way and crafts the spearphishing email in** **the same manner.** **In addition to the social engineering email technique, the attacker also employs a trick to the** **attachment. The actor embedded malicious code to a resource section of the legitimate SFX** **file created by a file encryption tool, and modified the entry point of the program for jumping�** **to the malicious code soon after the SFX program starts. The malicious code drops** **HomamDownloader, then jumps back to the regular flow in the CODE section, which in turn�** **asks the user the password and decrypts the file. Therefore, once a user executes the�** **attachment and sees the password dialog on SFX, the downloader dropped by the malicious** **code starts working even if the user chooses the Cancel on the password window. Should the** **user become aware of the infection later, it may be difficult to find the cause due to the fact�** **that the original embedded file contained within the SFX is benign.�** **_Figure 8 Execution flow of Patched SFX file�_** ### Conclusion **Tick was spotted last year, but they are actively and silently attacking various organizations in** **South Korea and Japan for a number of years. While some of the group’s tools, tactics, and** **procedures (TTPs) have been covered within this article, it is likely there is much that still** **remains uncovered.** **Palo Alto Networks customers are protected by these threats in the following ways:** ----- **2. All identified domains have been classified as malicious.�** **3. AutoFocus users can track the malware described in this report using Tick campaign tag** **and various malware tags.** **4. Customers running Traps are protected from the discussed threats.** ### Indicator of compromise **SHA256** **Daserf** **04080fbab754dbf0c7529f8bbe661afef9c2cba74e3797428538ed5c243d705a** **f8458a0711653071bf59a3153293771a6fb5d1de9af7ea814de58f473cba9d06** **e8edde4519763bb6669ba99e33b4803a7655805b8c3475b49af0a49913577e51** **21111136d523970e27833dd2db15d7c50803d8f6f4f377d4d9602ba9fbd355cd** **9c7a34390e92d4551c26a3feb5b181757b3309995acd1f92e0f63f888aa89423** **Invader** **0df20ccd074b722d5fe1358b329c7bdebcd7e3902a1ca4ca8d5a98cc5ce4c287** **e9574627349aeb7dd7f5b9f9c5ede7faa06511d7fdf98804526ca1b2e7ce127e** **57e1d3122e6dc88d9eb2989f081de88a0e6864e767281d509ff58834928895fb�** **9002** **933d66b43b3ce9a572ee3127b255b4baf69d6fdd7cb24da609b52ee277baa76e** **2bec20540d200758a223a7e8f7b2f98cd4949e106c1907d3f194216208c5b2fe** **055fe8002de293401852310ae76cb730c570f2037c3c832a52a79b70e2cb7831** **Minzen** **797d9c00022eaa2f86ddc9374f60d7ad92128ca07204b3e2fe791c08da9ce2b1** **9374040a9e2f47f7037edaac19f21ff1ef6a999ff98c306504f89a37196074a2�** **26727d139b593486237b975e7bdf93a8148c52d5fb48d5fe540a634a16a6ba82** **NamelessHdoor** **dfc8a6da93481e9dab767c8b42e2ffbcd08fb813123c91b723a6e6d70196636f�** **Gh0stRAt Downloader** **ce47e7827da145823a6f2b755975d1d2f5eda045b4c542c9b9d05544f3a9b974** **e34f4a9c598ad3bb243cb39969fb9509427ff9c08e63e8811ad26b72af046f0c�** **Custom Gh0st** **8e5a0a5f733f62712b840e7f5051a2bd68508ea207e582a190c8947a06e26f40** **Datper** **7d70d659c421b50604ce3e0a1bf423ab7e54b9df361360933bac3bb852a31849** **HomamDownloader** **a624d2cd6dee3b6150df3ca61ee0f992e2d6b08b3107f5b00f8bf8bcfe07ebe7** ----- **lywjrea.gmarketshop[.]net** **krjregh.sacreeflame[.]com�** **psfir.sacreeflame[.]com�** **lywja.healthsvsolu[.]com** **phot.healthsvsolu[.]com** **blog.softfix.co[.]kr�** **news.softfix.co[.]kr�** **www.gokickes[.]com** **log.gokickes[.]com** **sansei.jpn[.]com** ### Got something to say? **Leave a comment...** **Notify me of followup comments via e-** **mail** **Name (required)** **Email (required)** **Website** **SUBMIT** **SUBSCRIBE TO NEWSLETTERS** ----- **COMPANY** **[Company](https://www.paloaltonetworks.com/company)** **[Careers](https://www.paloaltonetworks.com/company/careers)** **[Sitemap](https://www.paloaltonetworks.com/sitemap)** **[Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure)** **LEGAL NOTICES** **[Privacy Policy](https://www.paloaltonetworks.com/legal-notices/privacy)** **[Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use)** **ACCOUNT** **[Manage Subscription](https://www.paloaltonetworks.com/company/subscriptions)** **© 2016 Palo Alto Networks, Inc. All rights reserved.** **[TAKE A TEST DRIVE](http://connect.paloaltonetworks.com/virtual-utd)** -----