You would be wise not to visit Japanese websites at present as security researchers from Symantec discovered a persistent spear phishing attack perpetrated by a group of hackers calling themselves Tick.
Using a tailor-made malware called Daserf, the hackers appeared to have begun their operations more than a decade ago but has kept their profile hidden from most security vendors, thus the longstanding attack Symantec classified under the cyber espionage category. The victims include the technology, aquatic engineering, and mass media sectors of the country.
How did the group manage to hit their victims? According to researchers at Symantec, Tick set out by sending spear-phishing emails that contain harmful links and attachments intended to expand the number of its victims. The group is also said to employ a variety of tools designed to spy on the network of a victim organization and expand its access through privilege escalation tactics.
The goal is to pilfer information from the compromised machines and a Trojan that comes with the attack works to transmit stolen data to the command and control server managed by the Tick group. The Daserf malware would try to open a backdoor access for the attackers to infect the target organization’s network via a remote connection to the hacker-controlled servers.
Once installed in a machine, the malware would create an install directory where the hackers would deploy several hacktools like Mimikatz, GSecdump, and Windows Credential Editor to escalate their privilege deeper into the network. Based on the results of a forensics investigation conducted by Symantec, the attackers have managed to steal crucial data in the form of PowerPoint presentations from various organizations in Japan.
Like most advanced persistent threats, the Daserf Trojan has been keeping a low profile to prevent antivirus tools from detecting its operations. It works to protect stolen information in .rar files protected by passwords and employs file names that borrows its legitimate appearance from existing programs installed in Windows computers such as Intel, Adobe and other file logs.
Symantec said it has been trying to determine the command and control domains used by Tick to spread the malware. But because the hackers employ domain brokers oftentimes, the registration information of those domains cannot be identified. The malware examined by security researchers do not appear to be digitally signed, though some were signed using stolen digital certificate.
Tick seems to get enough funding to advance its capabilities to conduct cyber espionage, thus it is a well-organized group, or state sponsored.