Tick Tock - Activities of the Tick Cyber Espionage Group in East Asia Over the Last 10 Years

Minseok (Jacky) Cha/Ahnlab

The Tick group, also known as Bald Knight, Bronze Butler, Nian, and RedBaldKnight, is a threat actor whose main targets are institutions and companies in Korea and Japan. This group became known in 2016 although it first engaged in attacks on Korea in 2008. The group was first confirmed to be active in 2014.

The Tick group has used various malware, such as Bisodown (Homam), Daserf, Datper, Gofarer, NetBoy(Invader), Tickusb and Xxmm for more than 10 years, and various security vendors have reported on this group`s activities, malware, and malware builders.

The activities of this group in Japan have been researched and disclosed to some extent, but not as much as their attacks on another main target, Korea. While there are common characteristics in the attack methods, malware, and techniques used for the attacks in Korea and Japan, there are certainly differences. The attacks on the countries shared the same method of creating large files tens or hundreds of megabytes in length when generating malware files in an attempt to bypass security programs. However, it has also used different strategies for each country, such as by exploiting the vulnerabilities of an asset management software widely used in Japan and targeting a secure USB Flash drive in Korea.

In this presentation, I will talk about the Tick group`s attack vectors, major activities in East Asia with a focus on Korea, the characteristics of their malware, and its techniques for bypassing security programs. I will also share some new information about them that was mistakenly exposed by the group through various internal tools and their habits.

November 7 at 14:00 - 14:30, Stage B

Minseok(Jacky) CHA: He is a Senior Principal Malware Researcher at AhnLab. He joined AhnLab as a malware analyst in 1997. He research mainly focuses on cyberattacks and threat actors in East Asia. He has been appointed as a member of the Private/Public Cooperative Investigation Group and Cyber Expert Group in South Korea. He is a reporter for the WildList Organization International. He is a member of the board of directors of AVAR (Association of Anti-Virus Asia Researches) since 2018. He was awarded the ISC2 ISLA Asia-Pacific Information Security Practitioner Award in 2018. He is a speaker at security conferences, including AVAR, AVTOKYO, CARO Workshop, CODE BLUE, HITB GSEC Commsec, JSAC, SECUINSIDE, Virus Bulletin. When he has free time, he enjoys old anime and video games.