ETDA ThaiCERT
Report
Search
Home > List all groups > Bronze Butler, Tick, RedBaldNight, Stalker Panda

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Bronze Butler, Tick, RedBaldNight, Stalker Panda

NamesBronze Butler (SecureWorks)
Tick (Symantec)
TEMP.Tick (FireEye)
RedBaldNight (Trend Micro)
Stalker Panda (Crowdstrike)
CountryChina China
SponsorState-sponsored, National University of Defense and Technology
MotivationInformation theft and espionage
First seen2010
Description(SecureWorks) CTU analysis indicates that Bronze Butler primarily targets organizations located in Japan. The threat group has sought unauthorized access to networks of organizations associated with critical infrastructure, heavy industry, manufacturing, and international relations. Secureworks analysts have observed Bronze Bulter exfiltrating the following categories of data:

• Intellectual property related to technology and development
• Product specification
• Sensitive business and sales-related information
• Network and system configuration files
• Email messages and meeting minutes

The focus on intellectual property, product details, and corporate information suggests that the group seeks information that they believe might be of value to competing organizations. The diverse targeting suggests that Bronze Bulter may be tasked by multiple teams or organizations with varying priorities.
ObservedSectors: Critical infrastructure, Defense, Engineering, Government, High-Tech, Industrial, Manufacturing, Media, Technology and International relations.
Countries: China, Hong Kong, Japan, Russia, Singapore, South Korea, Taiwan, USA.
Tools used9002 RAT, 8.t Dropper, Blogspot, Daserf, Datper, Elirks, Gh0st RAT, gsecdump, HomamDownloader, Lilith RAT, Mimikatz, Minzen, rarstar, SymonLoader, Windows Credentials Editor.
Operations performedJul 2015Symantec discovered the most recent wave of Tick attacks in July 2015, when the group compromised three different Japanese websites with a Flash (.swf) exploit to mount watering hole attacks. Visitors to these websites were infected with a downloader known as Gofarer (Downloader.Gofarer). Gofarer collects information about the compromised computer and then downloads and installs Daserf.
<https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan>
Apr 2017Wali is a backdoor used for targeted attacks. It gathers information about the compromised machines and their networks, in addition to stealing sensitive information and credentials. Wali’s operators use this information to move laterally in an organization and compromise more machines.
<https://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors>
Nov 2017Daserf’s infection chain accordingly evolved, as shown below. It has several methods for infecting its targets of interest: spear phishing emails, watering hole attacks, and exploiting a remote code execution vulnerability (CVE-2016-7836, patched last March 2017) in SKYSEA Client View, an IT asset management software widely used in Japan.
<https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/>
Jun 2018Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems
<https://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/>
2019Operation “ENDTRADE”
By the first half of 2019, we found that the group was able to zero in on specific industries in Japan from which it could steal proprietary information and classified data. We named this campaign “Operation ENDTRADE,” based on its targets.
<https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf>
Jun 2019Breach of Mitsubishi Electric
<https://www.zdnet.com/article/mitsubishi-electric-discloses-security-breach-china-is-main-suspect/>
Information<https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses>
<https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/>
<https://unit42.paloaltonetworks.com/unit42-tick-group-continues-attacks/>
<https://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html>
<https://wikileaks.org/vault7/document/2015-08-20150814-256-CSIR-15005-Stalker-Panda/2015-08-20150814-256-CSIR-15005-Stalker-Panda.pdf>
MITRE ATT&CK<https://attack.mitre.org/groups/G0060/>
Playbook<https://pan-unit42.github.io/playbook_viewer/?pb=tick>

Last change to this card: 22 April 2020

Download this actor card in PDF or JSON format

Previous: Bookworm
Next: Buhtrap, Ratopak Spider

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key