Group remained undetected for at least ten years

Apr 29, 2016 18:20 GMT  ·  By

A secret cyber-espionage group is using compromised websites along with spear-phishing emails to deliver a backdoor trojan to organizations in Japan for the purpose of stealing sensitive information and private technologies.

Security firm Symantec discovered the group in July 2015, after it detected some of the compromised websites delivering the Gofarer malware through drive-by download attacks and a Flash exploit, which, in turn, would download and install the Daserf backdoor.

Security researchers also say the group sometimes used spear-phishing campaigns that delivered files as email attachments, which, when opened, leveraged the CVE-2014-4114 Microsoft Office vulnerability to install the Daserf backdoor.

Tick group is active since 2006, interested in Japanese firms

Up to this point, the group, which Symantec named Tick, was following a common pattern seen in most cyber-espionage campaigns. Things became interesting after researchers found evidence of the group's activity going back for at least ten years.

Security experts say Tick has been very active, but very attentive not to get detected. Evidence of this stands its most recent drive-by downloads campaign, which, even if it infected a large number of users who accessed the compromised websites, the group made sure used the backdoor only on the targets it was seeking.

According to Symantec, the group has a penchant for Japanese businesses and has targeted at least seven companies in the technology, aquatic engineering, and broadcasting sectors.

Tick uses custom malware, is very well organized

All of Tick's malware is custom-made, and in some attacks, the group has even gone to great lengths to digitally sign Daserf with stolen certificates to be sure its malicious activity goes unnoticed.

In its normal MO, the group stores its malware on compromised servers and keeps its C&C (command and control) servers on a separate infrastructure, even if in some cases Symantec found C&C servers on compromised websites. These instances were rare.

Another weird detail about the group's activity is the fact that the crooks tend to assemble their malware first, and only a few days later register the domains on which the malware works. This shows that the group is operating on a well-defined plan, and some operations are planned well ahead.

In order to avoid detection, Tick's Daserf also uses a non-standard technique for backdoors. Instead of sending data to its C&C as soon as it detects it, it stores it locally inside a password-protected RAR file.

"Tick appears to be a well-organized group, with the funding and capability to develop and update its malware," Symantec's Joe Di Maggie explains. "Tick exhibits all the hallmarks of an advanced cyberespionage group. The long lifespan of the group, as well as the consistent targeted attacks against specific industries, support this theory."

Daserf infections by region
Daserf infections by region

Photo Gallery (2 Images)

Infection chain for Tick's malware
Daserf infections by region
Open gallery