The Tick group, also known as Bald Knight, Bronze Butler, Nian, and RedBaldKnight, is a threat actor whose main targets are institutions and companies in Korea and Japan. This group became known in 2016 although it first engaged in attacks on Korea in 2008. The group was first confirmed to be active in 2014.
The Tick group has used various malware, such as Bisodown (Homam), Daserf, Datper, Gofarer, NetBoy(Invader), Tickusb and Xxmm for more than 10 years, and various security vendors have reported on this group’s activities, malware, and malware builders.
The activities of this group in Japan have been researched and disclosed to some extent, but not as much as their attacks on another main target, Korea. While there are common characteristics in the attack methods, malware, and techniques used for the attacks in Korea and Japan, there are certainly differences. The attacks on the countries shared the same method of creating large files tens or hundreds of megabytes in length when generating malware files in an attempt to bypass security programs. However, it has also used different strategies for each country, such as by exploiting the vulnerabilities of an asset management software widely used in Japan and targeting a secure USB drive in Korea.
In this presentation, I will talk about the Tick group’s attack vectors, major activities in East Asia with a focus on Korea, the characteristics of their malware, and its techniques for bypassing security programs. I will also share some new information about them that was mistakenly exposed by the group through various internal tools. I believe that sharing information is essential for minimizing future damages so today, I will share with you my findings with a focus on Korea.