# Tracking Tick Through Recent Campaigns Targeting East Asia **[blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html](https://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html)** [This blog post is authored by Ashlee Benge and Jungsoo An, with contributions from](https://twitter.com/ashtr0nautt) [Dazhuo Li.](https://www.linkedin.com/in/dazhuo/) ## Summary Since 2016, an advanced threat group that Cisco Talos is tracking has carried out cyberattacks against South Korea and Japan. This group is known by several different names: Tick, Redbaldknight and Bronze Butler. Although each campaign employed custom tools, Talos has observed recurring patterns in the actor's use of infrastructure, from overlaps in hijacked command and control (C2) domains to differing campaign C2s resolving to the same IP. These infrastructure patterns indicate similarities between the Datper, xxmm backdoor, and Emdivi malware families. In this post, we will dive into these parallels and examine the methods used by this actor. ## Introduction The APT threat actor known as "Tick," "Bronze Butler," and "Redbaldknight" has conducted espionage campaigns since 2016 against East Asian countries such as Japan and South [Korea [1]. Talos analyzed a recent campaign in which compromised websites located in](https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/) South Korea and Japan were used as C2 servers for samples belonging to the malware family known as "Datper," which has the ability to execute shell commands on the victim machine and obtain hostnames and drive information. Talos found potential links in shared infrastructure between the malware families Datper, xxmm backdoor, and Emdivi, each of which has been attributed to this threat actor under one of the above three aliases. We obtained this Datper variant through VirusTotal. The sample, written in Delphi code, was submitted toward the end of July 2018. Although the exact attack vector is unclear, the threat actor appears to have selected a legitimate-but-vulnerable Korean laundry service website to host their C2, shown below. ----- Legitimate Korean laundry site used as Datper C2 host. The website, located at whitepia[.]co.kr, does not use SSL encryption or certificates. The specific URL used for C2 communication is: hxxp://whitepia[.]co[.]kr/bbs/include/JavaScript.php Once executed, the Datper variant creates a mutex object called "gyusbaihysezhrj" and retrieves several pieces of information from the victim machine, including system information and keyboard layout. Afterward, the sample attempts to issue an HTTP GET request to the above C2 server, which at the time of this writing, resolved to the IP 111[.]92[.]189[.]19. An example of this request is: GET /bbs/include/JavaScript.php?ycmt=de4fd712fa7e104f1apvdogtw HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: whitepia[.]co.kr Cache-Control: no-cache Unfortunately, at the time of this investigation, the C2 server was unavailable, preventing Talos from investigating C2 communications in greater detail. However, Talos was able to analyze a previous campaign from 2017, which employed a similar sample from this family and used a slightly different mutex, "d4fy3ykdk2ddssr." All samples in the diagram below, associated with the 2017 campaign, implemented mutex object "d4fy3ykdk2ddssr," likely to prevent access from other processes during execution. ----- Structure of C2 communications from the 2017 campaign. The actor behind this campaign deployed and managed their C2 infrastructure mainly in South Korea and Japan. We confirmed that the actor periodically changed their C2 infrastructure and appears to have a history of identifying and penetrating vulnerable websites located in these countries. In addition to whitepia[.]co[.]kr, we identified other instances of compromised websites used as C2 servers. It is possible the malware samples are being delivered using web-based attacks, such as drive-by downloads or watering hole attacks. Additionally, Talos identified hosts used as C2 servers that may not be connected to a compromised website. This indicates the possibility that the threat actor may have initially deployed their C2 server infrastructure on legitimately obtained (and potentially purchased) hosts. Overlaps in the compromised websites used as C2 domains suggest links to another malware family known as "xxmm backdoor" (or alternatively, "Murim" or "Wrim"), a malware family that allows an attacker to install additional malware. The GET request URI paths of xxmm backdoor and Datper are similar, as seen below: **xxmm backdoor: hxxp://www.amamihanahana.com/diary/archives/a_/2/index.php** **Datper: hxxp://www.amamihanahana.com/contact/contact_php/jcode/set.html** Based on the findings above, both tools have used the same websites located in Japan in their C2 infrastructure since 2016. The xxmm sample, shown on the right-hand side of the diagram above, has the hash [397a5e9dc469ff316c2942ba4b503ff9784f2e84e37ce5d234a87762e0077e25 [2].](https://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors) The extracted PDB debug symbol paths from the sample are: C:\Users\123\Documents\Visual Studio 2010\Projects\shadowWalker\Release\BypassUacDll.pdb ----- 2010\Projects\shadowWalker\Release\loadSetup.pdb C:\Users\123\documents\visual studio 2010\Projects\xxmm2\Release\test2.pdb C:\Users\123\Desktop\xxmm3\x64\Release\ReflectivLoader.pdb In addition to the links between Datper and xxmm backdoor, a recent Datper variant compiled in March 2018 used a legitimate website as a C2, which resolved to the IP 211[.]13[.]196[.]164. This same IP was used as C2 infrastructure by the Emdivi malware family — a trojan that opens a backdoor on the compromised machine — and was [attributed to the threat actor behind the campaign "Blue termite" [3].](https://blog.jpcert.or.jp/2015/11/emdivi-and-the-rise-of-targeted-attacks-in-japan.html) Structure of 2018 Datper and Emdivi campaigns. Our passive DNS lookup data of Resource Records (RR) for domains used by Datper and Emdivi further suggest that this IP was used by both malware families. Resource record for Datper. Resource record for Emdivi. ## Conclusion Talos' investigation into attacks conducted by this actor indicates commonalities between the Datper, xxmm backdoor, and Emdivi malware families. Specifically, these similarities ----- and may have been purchased by the attacker. Successful attacks utilizing these malware families may result in shell commands being run on victim machines, resulting in a potential leak of sensitive information. Cisco security products protect our customers in a range of ways, detailed below. ## Coverage Additional ways our customers can detect and block this threat are listed below. Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks. Email Security can block malicious emails sent by threat actors as part of their campaign. Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat. AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products. Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. ## IOCs: **Hashes** **Datper** c2e87e5c0ed40806949628ab7d66caaf4be06cab997b78a46f096e53a6f49ffc 569ceec6ff588ef343d6cb667acf0379b8bc2d510eda11416a9d3589ff184189 d91894e366bb1a8362f62c243b8d6e4055a465a7f59327089fa041fe8e65ce30 ----- 7d70d659c421b50604ce3e0a1bf423ab7e54b9df361360933bac3bb852a31849 2f6745ccebf8e1d9e3e5284a895206bbb4347cf7daa2371652423aa9b94dfd3d 4149da63e78c47fd7f2d49d210f9230b94bf7935699a47e26e5d99836b9fdd11 a52c3792d8cef6019ce67203220dc191e207c6ddbdfa51ac385d9493ffe2a83a e71be765cf95bef4900a1cef8f62e263a71d1890a3ecb5df6666b88190e1e53c **xxmm backdoor** 397a5e9dc469ff316c2942ba4b503ff9784f2e84e37ce5d234a87762e0077e25 **Emdivi** 9b8c1830a3b278c2eccb536b5abd39d4033badca2138721d420ab41bb60d8fd2 1df4678d7210a339acf5eb786b4f7f1b31c079365bb99ab8028018fa0e849f2e **IPs used for C&C communication** 202[.]218[.]32[.]135 202[.]191[.]118[.]191 110[.]45[.]203[.]133 61[.]106[.]60[.]47 52[.]84[.]186[.]239 111[.]92[.]189[.]19 211[.]13[.]196[.]164 **C&C servers resolving to malicious IPs** hxxp://www.oonumaboat[.]com/cx/index.php hxxp://www.houeikai[.]or.jp/images/ko-ho.gif hxxp://www.amamihanahana[.]com/contact/contact_php/jcode/set.html hxxp://www.amamihanahana[.]com/diary/archives/a_/2/index.php hxxp://rbb.gol-unkai4[.]com/common/include/index-visual/index.htm hxxp://www.whitepia[.]co.kr/bbs/include/JavaScript.php hxxp://www.adc-home[.]com/28732.html hxxp://www.sakuranorei[.]com.com/blog/index.php -----