[r0ny]

Tracking Tick Through Recent Campaigns Targeting East Asia

Since 2016, an advanced threat group that Cisco Talos is tracking has carried out cyberattacks against South Korea and Japan. This group is known by several different names: Tick, Redbaldknight and Bronze Butler.
Although each campaign employed custom tools, Talos has observed recurring patterns in the actor's use of infrastructure, from overlaps in hijacked command and control (C2) domains to differing campaign C2s resolving to the same IP. These infrastructure patterns indicate similarities between the Datper, xxmm backdoor, and Emdivi malware families.

IOCs:

Code: Select all

5a6990bfa2414d133b5b7b2c25a6e2dccc4f691ed4e3f453460dee2fbbcf616d
2f6745ccebf8e1d9e3e5284a895206bbb4347cf7daa2371652423aa9b94dfd3d
a52c3792d8cef6019ce67203220dc191e207c6ddbdfa51ac385d9493ffe2a83a
e71be765cf95bef4900a1cef8f62e263a71d1890a3ecb5df6666b88190e1e53c
9b8c1830a3b278c2eccb536b5abd39d4033badca2138721d420ab41bb60d8fd2
1df4678d7210a339acf5eb786b4f7f1b31c079365bb99ab8028018fa0e849f2e

Thanks,

[Antelox]

BR,

Antelox