(SecureWorks) CTU analysis indicates that Bronze Butler primarily targets organizations located in Japan. The threat group has sought unauthorized access to networks of organizations associated with critical infrastructure, heavy industry, manufacturing, and international relations. Secureworks analysts have observed Bronze Bulter exfiltrating the following categories of data: • Intellectual property related to technology and development • Product specification • Sensitive business and sales-related information • Network and system configuration files • Email messages and meeting minutes The focus on intellectual property, product details, and corporate information suggests that the group seeks information that they believe might be of value to competing organizations. The diverse targeting suggests that Bronze Bulter may be tasked by multiple teams or organizations with varying priorities.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2022-07-18 by Unit 42 from Palo Alto Networks Unit 42
2021-04-20 by Stefan Soesanto from Twitter (@iiyonite)
2021-03-10 by Thomas Dupuy from ESET Research
2020 by SecureWorks from Secureworks
2019 by Cyber Operations Tracker from Council on Foreign Relations
2019 by MITRE ATT&CK from MITRE
2017-11-07 by Joey Chen from Trend Micro
2017-10-12 by CTU Research Team from Secureworks
2017-08-21 by Yu Nakamura from JPCERT/CC
2017-07-25 by Kaoru Hayashi from Palo Alto Networks Unit 42
2017-06-28 by SecureWorks from Secureworks
2016-04-28 by Jon DiMaggio from Symantec
2015-08-14 by Raytheon Blackbird Technologies from Raytheon Blackbird Technologies
Actor: Bronze Butler, Tick, RedBaldNight, Stalker Panda
Names: Bronze Butler, CTG-2006, Tick, TEMP.Tick, RedBaldNight, Stalker Panda
Country: China
Sponsor: State-sponsored, National University of Defense and Technology
Motivation: Information theft and espionage
First-seen: 2006
Description: (SecureWorks) CTU analysis indicates that Bronze Butler primarily targets organizations located in Japan. The threat group has sought unauthorized access to networks of organizations associated with critical infrastructure, heavy industry, manufacturing, and international relations. Secureworks analysts have observed Bronze Bulter exfiltrating the following categories of data: • Intellectual property related to technology and development • Product specification • Sensitive business and sales-related information • Network and system configuration files • Email messages and meeting minutes The focus on intellectual property, product details, and corporate information suggests that the group seeks information that they believe might be of value to competing organizations. The diverse targeting suggests that Bronze Bulter may be tasked by multiple teams or organizations with varying priorities.
Observed-sectors: Critical infrastructure
Observed-sectors: Defense
Observed-sectors: Engineering
Observed-sectors: Government
Observed-sectors: High-Tech
Observed-sectors: Industrial
Observed-sectors: Manufacturing
Observed-sectors: Media
Observed-sectors: Technology
Observed-sectors: International relations
Observed-countries: China
Observed-countries: Hong Kong
Observed-countries: Japan
Observed-countries: Russia
Observed-countries: Singapore
Observed-countries: South Korea
Observed-countries: Taiwan
Observed-countries: USA
Tools: 9002 RAT
Tools: 8.t Dropper
Tools: Blogspot
Tools: Daserf
Tools: Datper
Tools: Elirks
Tools: Gh0st RAT
Tools: gsecdump
Tools: HomamDownloader
Tools: Lilith RAT
Tools: Mimikatz
Tools: Minzen
Tools: rarstar
Tools: ShadowPad Winnti
Tools: SymonLoader
Tools: Windows Credentials Editor
Operations: 2015-07
Operations: Symantec discovered the most recent wave of Tick attacks in July 2015, when the group compromised three different Japanese websites with a Flash (.swf) exploit to mount watering hole attacks. Visitors to these websites were infected with a downloader known as Gofarer (Downloader.Gofarer). Gofarer collects information about the compromised computer and then downloads and installs Daserf. https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan
Operations: 2017-04
Operations: Wali is a backdoor used for targeted attacks. It gathers information about the compromised machines and their networks, in addition to stealing sensitive information and credentials. Wali’s operators use this information to move laterally in an organization and compromise more machines. https://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors
Operations: 2017-11
Operations: Daserf’s infection chain accordingly evolved, as shown below. It has several methods for infecting its targets of interest: spear phishing emails, watering hole attacks, and exploiting a remote code execution vulnerability (CVE-2016-7836, patched last March 2017) in SKYSEA Client View, an IT asset management software widely used in Japan. https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/
Operations: 2018-06
Operations: Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems https://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/
Operations: 2019
Operations: Operation “ENDTRADE” By the first half of 2019, we found that the group was able to zero in on specific industries in Japan from which it could steal proprietary information and classified data. We named this campaign “Operation ENDTRADE,” based on its targets. https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf
Operations: 2019-06
Operations: Breach of Mitsubishi Electric https://www.zdnet.com/article/mitsubishi-electric-discloses-security-breach-china-is-main-suspect/
Operations: 2021-02
Operations: Exchange servers under siege from at least 10 APT groups https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
Operations: 2021-03
Operations: The slow Tick‑ing time bomb: Tick APT group compromise of a DLP software developer in East Asia https://www.welivesecurity.com/2023/03/14/slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia/ https://asec.ahnlab.com/en/51340/
Counter-operations: 2021-04
Counter-operations: Tokyo police referred a Chinese man, who is a member of the Chinese Communist Party, to prosecutors Tuesday over his alleged involvement in the cyberattacks, they said. https://www.japantimes.co.jp/news/2021/04/20/national/chinese-military-japan-cyberattacks/
Information: https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
Information: https://unit42.paloaltonetworks.com/unit42-tick-group-continues-attacks/
Information: https://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html
Mitre-attack: https://attack.mitre.org/groups/G0060/
Playbook: https://pan-unit42.github.io/playbook_viewer/?pb=tick
Last-card-change: 2023-04-26
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1588.002 OBTAIN CAPABILITIES : TOOL bronze butler has obtained and used open-source tools such as mimikatz, gsecdump, and windows credential editor. | T1189 DRIVE-BY COMPROMISE bronze butler compromised three japanese websites using a flash exploit to perform watering hole attacks. T1566.001 PHISHING : SPEARPHISHING ATTACHMENT bronze butler used spearphishing emails with malicious microsoft word attachments to infect victims. | T1059.001 COMMAND AND SCRIPTING INTERPRETER : POWERSHELL bronze butler has used powershell for execution. T1059.003 COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL bronze butler has used batch scripts and the command-line interface for execution. T1059.005 COMMAND AND SCRIPTING INTERPRETER : VISUAL BASIC bronze butler has used vbs and vbe scripts for execution. T1059.006 COMMAND AND SCRIPTING INTERPRETER : PYTHON bronze butler has made use of python-based remote access tools. T1203 EXPLOITATION FOR CLIENT EXECUTION bronze butler has exploited microsoft office vulnerabilities cve-2014-4114, cve-2018-0802, and cve-2018-0798 for execution. T1053.002 SCHEDULED TASK/JOB : AT bronze butler has used at to register a scheduled task to execute malware during lateral movement. T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK bronze butler has used schtasks to register a scheduled task to execute malware during lateral movement. T1204.002 USER EXECUTION : MALICIOUS FILE bronze butler has attempted to get users to launch malicious microsoft word attachments delivered via spearphishing emails. | T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER bronze butler has used a batch script that adds a registry run key to establish malware persistence. T1574.002 HIJACK EXECUTION FLOW : DLL SIDE-LOADING bronze butler has used legitimate applications to side-load malicious dlls. T1053.002 SCHEDULED TASK/JOB : AT bronze butler has used at to register a scheduled task to execute malware during lateral movement. T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK bronze butler has used schtasks to register a scheduled task to execute malware during lateral movement. | T1548.002 ABUSE ELEVATION CONTROL MECHANISM : BYPASS USER ACCOUNT CONTROL bronze butler has used a windows 10 specific tool and xxmm to bypass uac for privilege escalation. T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER bronze butler has used a batch script that adds a registry run key to establish malware persistence. T1574.002 HIJACK EXECUTION FLOW : DLL SIDE-LOADING bronze butler has used legitimate applications to side-load malicious dlls. T1053.002 SCHEDULED TASK/JOB : AT bronze butler has used at to register a scheduled task to execute malware during lateral movement. T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK bronze butler has used schtasks to register a scheduled task to execute malware during lateral movement. | T1548.002 ABUSE ELEVATION CONTROL MECHANISM : BYPASS USER ACCOUNT CONTROL bronze butler has used a windows 10 specific tool and xxmm to bypass uac for privilege escalation. T1140 DEOBFUSCATE/DECODE FILES OR INFORMATION bronze butler downloads encoded payloads and decodes them on the victim. T1574.002 HIJACK EXECUTION FLOW : DLL SIDE-LOADING bronze butler has used legitimate applications to side-load malicious dlls. T1562.001 IMPAIR DEFENSES : DISABLE OR MODIFY TOOLS bronze butler has incorporated code into several tools that attempts to terminate anti-virus processes. T1070.004 INDICATOR REMOVAL : FILE DELETION the bronze butler uploader or malware the uploader uses command to delete the rar archives after they have been exfiltrated. T1036 MASQUERADING bronze butler has masked executables with document file icons including word and adobe pdf. T1036.002 MASQUERADING : RIGHT-TO-LEFT OVERRIDE bronze butler has used right-to-left override to deceive victims into executing several strains of malware. T1036.005 MASQUERADING : MATCH LEGITIMATE NAME OR LOCATION bronze butler has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems. T1027.001 OBFUSCATED FILES OR INFORMATION : BINARY PADDING bronze butler downloader code has included "0" characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection. T1027.003 OBFUSCATED FILES OR INFORMATION : STEGANOGRAPHY bronze butler has used steganography in multiple operations to conceal malicious payloads. T1550.003 USE ALTERNATE AUTHENTICATION MATERIAL : PASS THE TICKET bronze butler has created forged kerberos ticket granting ticket (tgt) and ticket granting service (tgs) tickets to maintain administrative access. | T1003.001 OS CREDENTIAL DUMPING : LSASS MEMORY bronze butler has used various tools (such as mimikatz and wce) to perform credential dumping. | T1087.002 ACCOUNT DISCOVERY : DOMAIN ACCOUNT bronze butler has used net user /domain to identify account information. T1083 FILE AND DIRECTORY DISCOVERY bronze butler has collected a list of files from the victim and uploaded it to its c2 server, and then created a new list of specific files to steal. T1518 SOFTWARE DISCOVERY bronze butler has used tools to enumerate software installed on an infected host. T1124 SYSTEM TIME DISCOVERY bronze butler has used net time to check the local time on a target system. | T1080 TAINT SHARED CONTENT bronze butler has placed malware on file shares and given it the same name as legitimate documents on the share. T1550.003 USE ALTERNATE AUTHENTICATION MATERIAL : PASS THE TICKET bronze butler has created forged kerberos ticket granting ticket (tgt) and ticket granting service (tgs) tickets to maintain administrative access. | T1560.001 ARCHIVE COLLECTED DATA : ARCHIVE VIA UTILITY bronze butler has compressed data into password-protected rar archives prior to exfiltration. | T1132.001 DATA ENCODING : STANDARD ENCODING several bronze butler tools encode data with base64 when posting it to a c2 server. T1573.001 ENCRYPTED CHANNEL : SYMMETRIC CRYPTOGRAPHY bronze butler has used rc4 encryption (for datper malware) and aes (for xxmm malware) to obfuscate http traffic. bronze butler has also used a tool called rarstar that encodes data with a custom xor algorithm when posting it to a c2 server. T1105 INGRESS TOOL TRANSFER bronze butler has used various tools to download files, including dget (a similar tool to wget). T1102.001 WEB SERVICE : DEAD DROP RESOLVER bronze butler's msget downloader uses a dead drop resolver to access malicious payloads. |