By using so-called data loss prevention solutions (DLP), companies want to prevent internal data from unintentionally leaving their own network. But if the software provider itself is hacked, its customers are also at risk. Supply chain attacks are among the often underestimated dangers, say the experts at IT security manufacturer ESET. They have recently uncovered an attack on the network of an East Asian data loss prevention company whose customer portfolio also includes government and military facilities. ESET researchers most likely attribute this attack to the APT group “Tick”. Based on their profile, the aim of the attack was cyber espionage.
“During the infiltration of the provider, the attackers deployed at least three malware families. They also compromised internal update servers and added Trojans to installers of legitimate third-party tools. This ultimately led to the execution of malware on the computers of at least two customers,” explains ESET researcher Facundo Muñoz, who discovered Tick’s latest operation. “The hackers used the previously undocumented downloader “ShadowPy”, as well as the Netboy backdoor (aka Invader) and the Ghostdown downloader,” continued Muñoz.
First attack two years ago
ESET discovered a first attack in 2021 and immediately informed the DLP company. In 2022, ESET telemetry registered the execution of malicious code on the networks of two customers of the compromised vendor. Since the Trojanized installers were delivered via remote maintenance software, ESET Research suspects that the computers were infected during technical support by the DLP company. The manufacturer of the data loss prevention solution itself was also infected after two internal update servers distributed malicious code in its own network.
New downloader called ShadowPy
The previously undocumented downloader ShadowPy was developed in Python and is loaded via a customized version of the open source project py2exe. ShadowPy contacts a remote server from which it receives new Python scripts, which are decrypted and executed.
The older Netboy backdoor supports 34 commands, including collecting system information, deleting a file, downloading and executing programs, capturing screen content, and executing mouse and keyboard events requested by its controller.
About the APT group Tick
Tick (also known as BRONZE BUTLER or REDBALDKNIGHT) is an APT group believed to have been active since at least 2006, primarily attacking countries in the APAC region. The group is known for its cyber espionage operations focused on the theft of classified information and intellectual property. Tick uses an exclusive, tailored malware toolset designed for persistent access to compromised machines, reconnaissance, data exfiltration and downloading of other tools.
For more technical information about the recent Tick campaign, see the blog post “Tick APT group attacks DLP software developers in East Asia” on WeLiveSecurity .
Source:
Press release
Already read?
Mimikama cooks a “fake news casserole”
Deutsche Bahn: No annual ticket for 1.95 euros!
Amazon pallets or mystery boxes? Hands off!
If you enjoyed this post and value the importance of well-founded information, become part of the exclusive Mimikama Club! Support our work and help us promote awareness and combat misinformation. As a club member you receive:
📬 Special Weekly Newsletter: Get exclusive content straight to your inbox.
🎥 Exclusive video* “Fact Checker Basic Course”: Learn from Andre Wolf how to recognize and combat misinformation.
📅 Early access to in-depth articles and fact checks: always be one step ahead.
📄 Bonus articles, just for you: Discover content you won't find anywhere else.
📝 Participation in webinars and workshops : Join us live or watch the recordings.
✔️ Quality exchange: Discuss safely in our comment function without trolls and bots.
Join us and become part of a community that stands for truth and clarity. Together we can make the world a little better!
* In this special course, Andre Wolf will teach you how to recognize and effectively combat misinformation. After completing the video, you have the opportunity to join our research team and actively participate in the education - an opportunity that is exclusively reserved for our club members!
Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )

