An attack group is going after a secure USB drive built by a South Korean defense company, researchers said.
The group, known as Tick and Bronze Butler, is believed to be based in China and to have been active for at least a decade, although it was detailed for the first time only in April 2016, said researchers at Palo Alto Networks.
The group focuses on Japan and South Korea, but other versions of the malware were found in attacks on organizations in Russia, Singapore, and China.
Tick has been using custom malware families, including Minzen, Datper, Nioupale (aka Daserf), and HomamDownloader.
The attempt to weaponize a secure USB drive is a different type of attack, researchers said in a post. That is why they are thinking the intent was to go after air gapped systems.
The malware used in these attacks was designed to target systems running Windows XP or Windows Server 2003, which are older, out-of-support OS versions.
Air-gapped systems are commonly used in many countries by government, military, and defense contractors, and other industry verticals, Palo Alto researchers said.
“Based on the data collected, we do not believe this malware is part of any active threat campaign,” Palo Alto said.
Although they don’t have a complete picture of the past attack, the researchers believe Tick managed to compromise the secure USB drive model and load a malicious file onto an unknown number of devices, which are supposedly certified as secure by the South Korean ITSCC.
“Our picture of this past attack is incomplete at this time. Based on our research thus far, we are able to sketch out the following hypothesized attack scenario:
• The Tick Group somehow compromised a secure type of USB drive and loaded a malicious file onto an unknown number of them. These USB drives are supposed to be certified as secure by the South Korean ITSCC.
• The Tick Group created a specific malware we are calling SymonLoader that somehow gets on older Windows systems and continuously looks for these specific USB drives.
• SymonLoader specifically targets Windows XP and Windows Server 2003 systems ONLY.
• If SymonLoader detects the presence of a specific type of secure USB drive, it will attempt to load the unknown malicious file using APIs that directly access the file system.”
Without a compromised USB drive or the unknown malicious file, the security researchers were not able to determine the manner in which the USB drives have been compromised.
“Specifically, we do not know if there has been a successful compromise in the supply-chain making these devices, or if these have been compromised post-manufacturing and distributed using other means such as social engineering,” Palo Alto researchers said.
The malware loader was observed being installed by a Trojanized version of a legitimate Japanese language GO game, which was first observed on January 21, 2018. Previously, the Trojanized application was seen dropping HomamDownloader, which can install malicious files from a remote command and control (C&C) server.