Tick

Threat Actor updated 3 months ago (2024-06-18T16:17:36.620Z)

Download STIX

Preview STIX

Tick is a threat actor, also known as BRONZE BUTLER, that likely originates from the People's Republic of China. Secureworks® incident responders and Counter Threat Unit™ (CTU) researchers have been investigating activities associated with this group. Tick has deployed various tools and malware families within compromised networks, specifically those of software companies. Their operations involve the use of Delphi backdoor Command & Control (C&C) servers, such as those hosted on www.averyspace[.]net and www.komdsecko[.]net. The cybersecurity landscape is further complicated by the various uses of the term "tick." For instance, Agent Tesla, a type of malware, calculates the difference between two tick counts to determine if it's being debugged or run in a virtual machine. In another context, social media platforms like X (formerly Twitter) use a gold tick to denote a 'Verified Organization,' while Gmail uses a blue verified tick mark to improve email delivery rates and domain reputation. Safety ratings on platforms like Facebook are also expressed in ticks, with one tick indicating a lower safety rating compared to platforms like Amazon, Lazada, and Qoo10 which have the highest rating of four ticks. Changes in the verification process on social media platforms also impact the cybersecurity landscape. The old “Twitter Blue” program assigned blue ticks to verified accounts for free, but after Elon Musk bought Twitter in October 2022 and renamed it to X, he introduced a new model. Personal accounts can now get a blue tick for an $8 monthly fee, but without identity verification. This lack of verification could potentially allow malicious actors to masquerade as legitimate entities, increasing the risk of cyber threats.

Description last updated: 2024-06-18T16:16:31.857Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
REDBALDKNIGHT	2	REDBALDKNIGHT, also known as BRONZE BUTLER or Tick, is an Advanced Persistent Threat (APT) group that has been active since at least 2006. The group primarily targets countries in the Asia Pacific region, with a significant focus on Japanese organizations from as early as 2008. They are known for th
BRONZE BUTLER	2	Bronze Butler, also known as Tick, is a sophisticated threat actor primarily focusing on cyberespionage against Japanese enterprises. In March 2023, ESET reported an operation by Bronze Butler that compromised the update server of an East Asian Data Loss Prevention (DLP) company, notably serving gov
Tonto Team	2	Tonto Team is a Chinese government-aligned Advanced Persistent Threat (APT) group, recognized for its malicious cyber activities. The team has been active for over a decade, utilizing various types of malware, notably the Bisonal and ShadowPad backdoors, in campaigns against entities in Japan, Russi

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Twitter

Windows

Malware

Payload

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
Proxylogon	Unspecified	2	ProxyLogon is a significant software vulnerability, specifically a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. Identified as CVE-2021-26855, it forms part of the ProxyLogon exploit chain and allows attackers to bypass authentication mechanisms and impersonate users

Source Document References

Information about the Tick Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	3 months ago	Fake Meeting Software Spreads macOS Infostealer
Fortinet	3 months ago	New Agent Tesla Campaign Targeting Spanish-Speaking People \| Fortinet Blog
CERT-EU	6 months ago	'Do right by your users': Sun Xueling criticises Meta for not doing enough to fight Facebook scams
CERT-EU	6 months ago	'Do right by your users': Sun Xueling criticises Meta for not doing enough to fight Facebook scams
CERT-EU	8 months ago	Top 4 Domain Security Solutions for Businesses in 2024
CERT-EU	8 months ago	Techrights — Links 16/01/2024: Surveillance Concerns and Software Patents Thrown Out Again
CERT-EU	8 months ago	Mandiant says X account brute forced without 2FA protection
CERT-EU	8 months ago	ICO reprimands for data breaches will not keep cyber-criminals out or encourage companies to ensure robust cyber-defences – Global Security Mag Online
CERT-EU	8 months ago	AI, Telecom, and Urban Development: Insights from Metro Edge’s CEO Craig Huffman Ahead of PTC’24 \| Data Center POST
CERT-EU	8 months ago	Hacked X accounts with gold checkmarks are for sale on the dark web, says study \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	8 months ago	Hacked X accounts with gold checkmarks are for sale on the dark web, says study \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	8 months ago	From Data to Design: Inside PowerHouse Data Centers’ Approach to Next-Gen Technology and Infrastructure Ahead of PTC’24 \| Data Center POST
CERT-EU	8 months ago	The 10 largest crypto hacks and exploits of 2023 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	8 months ago	Top 10 OODAcasts Episodes of 2023
CERT-EU	8 months ago	Today’s Cache \| Why ransomware attacks on Indian IT firms are concerning?; Google, X ads promoting sites with crypto malware; U.S. court rules Twitter breached contract over failure to pay bonuses \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	9 months ago	Crypto drainer steals $59 million from 63k people in Twitter ad push
MITRE	9 months ago	A Summary of APT41 Targeting U.S. State Governments
CERT-EU	9 months ago	Cybercrime: Orkney community trust lost £119,000 overnight
CERT-EU	9 months ago	Taking Security Best Practice During Festive Season
CERT-EU	9 months ago	Connecting the Dots: Alan Gibbemeyer Explores Telescent’s Automated Solutions and the Future of Telecom Ahead of PTC’24 \| Data Center POST