Tick

Threat Actor updated a month ago (2024-09-20T19:01:15.212Z)

Download STIX

Preview STIX

Tick, also known as BRONZE BUTLER, is a threat actor group likely originating from the People's Republic of China. This group has been associated with deploying various tools and malware families in compromised networks, notably within software companies. The group uses sophisticated methods such as KEYPLUG, which selects an IP address within a CIDR block based on the infected computer's tick count. Additionally, Tick controls Delphi backdoor Command and Control (C&C) servers hosted on domains like www.averyspace[.]net and www.komdsecko[.]net, further illustrating their advanced cyber capabilities. The investigation of Tick's activities was carried out by Secureworks® incident responders and Counter Threat Unit™ (CTU) researchers. Notably, Tick's operations have implications for various sectors, including social media platforms. For instance, Vortax, an enterprise-focused video chat service provider, is identified as having a gold tick, indicating it is a 'Verified Organization' on X (formerly Twitter). However, this verification does not necessarily protect against Tick's activities, as demonstrated by Facebook's low safety rating of one tick compared to other platforms like Amazon, Lazada, and Qoo10, which have the highest rating of four ticks. Regulatory compliance and proactive cybersecurity measures are essential in combating threat actors like Tick. As Thompson concluded, organizations must move beyond treating regulation as a tick-box exercise and view it as a starting point for their cyber defenses. This approach is crucial given the increasing sophistication of threat actors and the potential consequences for businesses that fail to adhere to regulations. Despite these challenges, there is room for improvement, such as enhancing email delivery rates and domain reputation, and securing Gmail’s blue verified tick mark with BIMI 3.

Description last updated: 2024-09-20T18:17:46.681Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
REDBALDKNIGHT is a possible alias for Tick. REDBALDKNIGHT, also known as BRONZE BUTLER or Tick, is an Advanced Persistent Threat (APT) group that has been active since at least 2006. The group primarily targets countries in the Asia Pacific region, with a significant focus on Japanese organizations from as early as 2008. They are known for th	2
BRONZE BUTLER is a possible alias for Tick. Bronze Butler, also known as Tick, is a sophisticated threat actor primarily focusing on cyberespionage against Japanese enterprises. In March 2023, ESET reported an operation by Bronze Butler that compromised the update server of an East Asian Data Loss Prevention (DLP) company, notably serving gov	2
Tonto Team is a possible alias for Tick. Tonto Team is a Chinese government-aligned Advanced Persistent Threat (APT) group, recognized for its malicious cyber activities. The team has been active for over a decade, utilizing various types of malware, notably the Bisonal and ShadowPad backdoors, in campaigns against entities in Japan, Russi	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Twitter

Windows

Malware

Payload

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The KEYPLUG Malware is associated with Tick. KeyPlug is a sophisticated malware developed by APT41, also known as the Chinese RedGolf Group. It's written in C++ and supports multiple network protocols for command and control (C2) traffic, including HTTP, TCP, KCP over UDP, and WSS. The malware was primarily used to target Windows systems, spec	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The Proxylogon Vulnerability is associated with Tick. ProxyLogon is a significant vulnerability in the design and implementation of software, specifically within Microsoft Exchange Server. CVE-2021-26855, a part of the ProxyLogon exploit chain, is a server-side request forgery (SSRF) vulnerability that allows attackers to bypass authentication mechanis	Unspecified	2

Source Document References

Information about the Tick Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Yori	a month ago	Uncovering an undetected KeyPlug implant attacking industries in Italy - Yoroi
Yori	a month ago	Uncovering an undetected KeyPlug implant attacking industries in Italy - Yoroi
InfoSecurity-magazine	4 months ago	Fake Meeting Software Spreads macOS Infostealer
Fortinet	4 months ago	New Agent Tesla Campaign Targeting Spanish-Speaking People \| Fortinet Blog
CERT-EU	8 months ago	'Do right by your users': Sun Xueling criticises Meta for not doing enough to fight Facebook scams
CERT-EU	8 months ago	'Do right by your users': Sun Xueling criticises Meta for not doing enough to fight Facebook scams
CERT-EU	9 months ago	Top 4 Domain Security Solutions for Businesses in 2024
CERT-EU	9 months ago	Techrights — Links 16/01/2024: Surveillance Concerns and Software Patents Thrown Out Again
CERT-EU	9 months ago	Mandiant says X account brute forced without 2FA protection
CERT-EU	9 months ago	ICO reprimands for data breaches will not keep cyber-criminals out or encourage companies to ensure robust cyber-defences – Global Security Mag Online
CERT-EU	9 months ago	AI, Telecom, and Urban Development: Insights from Metro Edge’s CEO Craig Huffman Ahead of PTC’24 \| Data Center POST
CERT-EU	9 months ago	Hacked X accounts with gold checkmarks are for sale on the dark web, says study \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	10 months ago	Hacked X accounts with gold checkmarks are for sale on the dark web, says study \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	10 months ago	From Data to Design: Inside PowerHouse Data Centers’ Approach to Next-Gen Technology and Infrastructure Ahead of PTC’24 \| Data Center POST
CERT-EU	10 months ago	The 10 largest crypto hacks and exploits of 2023 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	10 months ago	Top 10 OODAcasts Episodes of 2023
CERT-EU	10 months ago	Today’s Cache \| Why ransomware attacks on Indian IT firms are concerning?; Google, X ads promoting sites with crypto malware; U.S. court rules Twitter breached contract over failure to pay bonuses \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	10 months ago	Crypto drainer steals $59 million from 63k people in Twitter ad push
MITRE	10 months ago	A Summary of APT41 Targeting U.S. State Governments
CERT-EU	10 months ago	Cybercrime: Orkney community trust lost £119,000 overnight