Tick, a China-aligned cyberespionage actor, has been linked to the compromise of an East Asian data-loss prevention (DLP) company that caters to government and military entities.
The attackers gained access to the company’s internal update servers to deliver malware, and trojanized installers of legitimate tools used by the company.
Tick has primarily targeted government, manufacturing, and biotechnology firms in Japan since at least 2006, but has also gone after lesser-known targets in Russia, Singapore, and China.
The group is believed to have gained access to the network of an East Asian software developer company through unknown means, followed by deploying a tampered version of a legitimate application called Q-Dir to drop an open source VBScript backdoor named ReVBShell, in addition to a previously undocumented downloader named ShadowPy. The attack also included variants of a Delphi backdoor called Netboy and another downloader named Ghostdown.
In February and June 2022, trojanized Q-Dir installers were transferred via remote support tools to two of the company’s customers, an engineering and a manufacturing firm located in East Asia. The goal was not to perform a supply chain attack against the downstream customers but rather that the rogue installer was unknowingly used as part of technical support activities.
The incident is also likely related to another unattributed cluster in May 2022 that involved the use of Microsoft Compiled HTML Help (.CHM) files to drop the ReVBShell implant.
Tick’s attack methodology typically involves spear-phishing emails and strategic web compromises as an entry point.
The group is known for its use of backdoors and downloaders to maintain persistent access, as well as deploying malicious loader DLLs along with legitimate signed applications vulnerable to DLL search-order hijacking.
These tactics have enabled Tick to remain active for more than a decade and pose a significant threat to government and military entities in East Asia and beyond.