Tick

Threat Actor updated a month ago (2024-10-24T14:40:17.121Z)

Download STIX

Preview STIX

Tick, also known as BRONZE BUTLER, is a threat actor believed to originate from the People's Republic of China. This group has been linked to cyber-espionage activities and is known for deploying a variety of tools and malware families in their operations. Secureworks® incident responders and Counter Threat Unit™ (CTU) researchers have investigated several instances where Tick compromised software companies' networks. The group uses sophisticated techniques such as selecting an IP address within a CIDR block based on the infected computer's tick count, a strategy used by the KEYPLUG malware. The group operates Command & Control (C&C) servers via websites like www.averyspace[.]net and www.komdsecko[.]net, using them to control the Delphi backdoor they install on compromised systems. The decision to activate the backdoor is made based on various system information such as CPUID, whether it's running on a Virtual Machine, OS version, number of processors, tick count, and other factors. Another tool in their arsenal, Agent Tesla, calculates the difference between two tick counts before and after sleeping for ten milliseconds to detect whether it is being debugged or running in a virtual machine. It's worth noting that the term "tick" is also used in different contexts unrelated to the threat actor. For instance, Vortax, an enterprise-focused alternative to video chat services, has a gold tick on X (formerly Twitter), indicating it's a 'Verified Organization.' Similarly, Facebook has a safety rating of one tick, compared with platforms like Amazon, Lazada, and Qoo10 which have the highest rating of four ticks. Lastly, the term is also used in relation to email delivery rates and domain reputation improvement, as well as in the context of tick-borne encephalitis cases.

Description last updated: 2024-10-23T13:02:08.152Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
REDBALDKNIGHT is a possible alias for Tick. REDBALDKNIGHT, also known as BRONZE BUTLER or Tick, is an Advanced Persistent Threat (APT) group that has been active since at least 2006. The group primarily targets countries in the Asia Pacific region, with a significant focus on Japanese organizations from as early as 2008. They are known for th	2
BRONZE BUTLER is a possible alias for Tick. Bronze Butler, also known as Tick, is a sophisticated threat actor primarily focusing on cyberespionage against Japanese enterprises. In March 2023, ESET reported an operation by Bronze Butler that compromised the update server of an East Asian Data Loss Prevention (DLP) company, notably serving gov	2
Tonto Team is a possible alias for Tick. Tonto Team is a Chinese government-aligned Advanced Persistent Threat (APT) group, recognized for its malicious cyber activities. The team has been active for over a decade, utilizing various types of malware, notably the Bisonal and ShadowPad backdoors, in campaigns against entities in Japan, Russi	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Twitter

Windows

Malware

Payload

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The KEYPLUG Malware is associated with Tick. KeyPlug is a sophisticated malware developed by APT41, also known as the Chinese RedGolf Group. It's written in C++ and supports multiple network protocols for command and control (C2) traffic, including HTTP, TCP, KCP over UDP, and WSS. The malware was primarily used to target Windows systems, spec	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The Proxylogon Vulnerability is associated with Tick. ProxyLogon is a significant software vulnerability that was discovered in Microsoft Exchange Server. It is part of an exploit chain, including CVE-2021-26855, which is a server-side request forgery (SSRF) vulnerability. This flaw allows attackers to bypass authentication mechanisms and impersonate u	Unspecified	2

Source Document References

Information about the Tick Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securelist	a month ago	Lazarus APT steals cryptocurrency and user data via a decoy MOBA game
Yori	2 months ago	Uncovering an undetected KeyPlug implant attacking industries in Italy - Yoroi
Yori	2 months ago	Uncovering an undetected KeyPlug implant attacking industries in Italy - Yoroi
InfoSecurity-magazine	5 months ago	Fake Meeting Software Spreads macOS Infostealer
Fortinet	5 months ago	New Agent Tesla Campaign Targeting Spanish-Speaking People \| Fortinet Blog
CERT-EU	9 months ago	'Do right by your users': Sun Xueling criticises Meta for not doing enough to fight Facebook scams
CERT-EU	9 months ago	'Do right by your users': Sun Xueling criticises Meta for not doing enough to fight Facebook scams
CERT-EU	10 months ago	Top 4 Domain Security Solutions for Businesses in 2024
CERT-EU	10 months ago	Techrights — Links 16/01/2024: Surveillance Concerns and Software Patents Thrown Out Again
CERT-EU	10 months ago	Mandiant says X account brute forced without 2FA protection
CERT-EU	10 months ago	ICO reprimands for data breaches will not keep cyber-criminals out or encourage companies to ensure robust cyber-defences – Global Security Mag Online
CERT-EU	10 months ago	AI, Telecom, and Urban Development: Insights from Metro Edge’s CEO Craig Huffman Ahead of PTC’24 \| Data Center POST
CERT-EU	10 months ago	Hacked X accounts with gold checkmarks are for sale on the dark web, says study \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	a year ago	Hacked X accounts with gold checkmarks are for sale on the dark web, says study \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	a year ago	From Data to Design: Inside PowerHouse Data Centers’ Approach to Next-Gen Technology and Infrastructure Ahead of PTC’24 \| Data Center POST
CERT-EU	a year ago	The 10 largest crypto hacks and exploits of 2023 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	a year ago	Top 10 OODAcasts Episodes of 2023
CERT-EU	a year ago	Today’s Cache \| Why ransomware attacks on Indian IT firms are concerning?; Google, X ads promoting sites with crypto malware; U.S. court rules Twitter breached contract over failure to pay bonuses \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	Crypto drainer steals $59 million from 63k people in Twitter ad push
MITRE	a year ago	A Summary of APT41 Targeting U.S. State Governments