Tick

Threat Actor updated a month ago (2024-11-29T13:53:14.009Z)
Download STIX
Preview STIX
Tick, also known as BRONZE BUTLER, is a threat actor believed to originate from the People's Republic of China. This group has been linked to cyber-espionage activities and is known for deploying a variety of tools and malware families in their operations. Secureworks® incident responders and Counter Threat Unit™ (CTU) researchers have investigated several instances where Tick compromised software companies' networks. The group uses sophisticated techniques such as selecting an IP address within a CIDR block based on the infected computer's tick count, a strategy used by the KEYPLUG malware. The group operates Command & Control (C&C) servers via websites like www.averyspace[.]net and www.komdsecko[.]net, using them to control the Delphi backdoor they install on compromised systems. The decision to activate the backdoor is made based on various system information such as CPUID, whether it's running on a Virtual Machine, OS version, number of processors, tick count, and other factors. Another tool in their arsenal, Agent Tesla, calculates the difference between two tick counts before and after sleeping for ten milliseconds to detect whether it is being debugged or running in a virtual machine. It's worth noting that the term "tick" is also used in different contexts unrelated to the threat actor. For instance, Vortax, an enterprise-focused alternative to video chat services, has a gold tick on X (formerly Twitter), indicating it's a 'Verified Organization.' Similarly, Facebook has a safety rating of one tick, compared with platforms like Amazon, Lazada, and Qoo10 which have the highest rating of four ticks. Lastly, the term is also used in relation to email delivery rates and domain reputation improvement, as well as in the context of tick-borne encephalitis cases.
Description last updated: 2024-10-23T13:02:08.152Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
REDBALDKNIGHT is a possible alias for Tick. REDBALDKNIGHT, also known as BRONZE BUTLER or Tick, is an Advanced Persistent Threat (APT) group that has been active since at least 2006. The group primarily targets countries in the Asia Pacific region, with a significant focus on Japanese organizations from as early as 2008. They are known for th
2
BRONZE BUTLER is a possible alias for Tick. Bronze Butler, also known as Tick, is a sophisticated threat actor primarily focusing on cyberespionage against Japanese enterprises. In March 2023, ESET reported an operation by Bronze Butler that compromised the update server of an East Asian Data Loss Prevention (DLP) company, notably serving gov
2
Tonto Team is a possible alias for Tick. Tonto Team is a Chinese government-aligned Advanced Persistent Threat (APT) group, recognized for its malicious cyber activities. The team has been active for over a decade, utilizing various types of malware, notably the Bisonal and ShadowPad backdoors, in campaigns against entities in Japan, Russi
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Twitter
Windows
Malware
Payload
Exploit
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The KEYPLUG Malware is associated with Tick. KeyPlug is a sophisticated malware developed by APT41, also known as the Chinese RedGolf Group. It's written in C++ and supports multiple network protocols for command and control (C2) traffic, including HTTP, TCP, KCP over UDP, and WSS. The malware was primarily used to target Windows systems, specUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Proxylogon Vulnerability is associated with Tick. ProxyLogon is a serious software vulnerability, specifically an exploit chain in Microsoft Exchange Server. The chain includes CVE-2021-26855, a server-side request forgery (SSRF) vulnerability that allows attackers to bypass authentication and impersonate users, along with other vulnerabilities sucUnspecified
2
Source Document References
Information about the Tick Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
2 months ago
Yori
3 months ago
Yori
3 months ago
InfoSecurity-magazine
6 months ago
Fortinet
7 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
MITRE
a year ago