Threat Group Cards: A Threat Actor Encyclopedia

APT group: Bronze Butler, Tick, RedBaldNight, Stalker Panda

Names	Bronze Butler (SecureWorks) Tick (Symantec) TEMP.Tick (FireEye) RedBaldNight (Trend Micro) Stalker Panda (Crowdstrike)
Country	China
Sponsor	State-sponsored, National University of Defense and Technology
Motivation	Information theft and espionage
First seen	2010
Description	(SecureWorks) CTU analysis indicates that Bronze Butler primarily targets organizations located in Japan. The threat group has sought unauthorized access to networks of organizations associated with critical infrastructure, heavy industry, manufacturing, and international relations. Secureworks analysts have observed Bronze Bulter exfiltrating the following categories of data: • Intellectual property related to technology and development • Product specification • Sensitive business and sales-related information • Network and system configuration files • Email messages and meeting minutes The focus on intellectual property, product details, and corporate information suggests that the group seeks information that they believe might be of value to competing organizations. The diverse targeting suggests that Bronze Bulter may be tasked by multiple teams or organizations with varying priorities.
Observed	Sectors: Critical infrastructure, Defense, Engineering, Government, High-Tech, Industrial, Manufacturing, Media, Technology and International relations. Countries: China, Hong Kong, Japan, Russia, Singapore, South Korea, Taiwan, USA.
Tools used	9002 RAT, 8.t Dropper, Blogspot, Daserf, Datper, Elirks, Gh0st RAT, gsecdump, HomamDownloader, Lilith RAT, Mimikatz, Minzen, rarstar, SymonLoader, Windows Credentials Editor.
Operations performed	Jul 2015	Symantec discovered the most recent wave of Tick attacks in July 2015, when the group compromised three different Japanese websites with a Flash (.swf) exploit to mount watering hole attacks. Visitors to these websites were infected with a downloader known as Gofarer (Downloader.Gofarer). Gofarer collects information about the compromised computer and then downloads and installs Daserf. <https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan>
	Apr 2017	Wali is a backdoor used for targeted attacks. It gathers information about the compromised machines and their networks, in addition to stealing sensitive information and credentials. Wali’s operators use this information to move laterally in an organization and compromise more machines. <https://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors>
	Nov 2017	Daserf’s infection chain accordingly evolved, as shown below. It has several methods for infecting its targets of interest: spear phishing emails, watering hole attacks, and exploiting a remote code execution vulnerability (CVE-2016-7836, patched last March 2017) in SKYSEA Client View, an IT asset management software widely used in Japan. <https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/>
	Jun 2018	Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems <https://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/>
	2019	Operation “ENDTRADE” By the first half of 2019, we found that the group was able to zero in on specific industries in Japan from which it could steal proprietary information and classified data. We named this campaign “Operation ENDTRADE,” based on its targets. <https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf>
	Jun 2019	Breach of Mitsubishi Electric <https://www.zdnet.com/article/mitsubishi-electric-discloses-security-breach-china-is-main-suspect/>
Information	<https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses> <https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/> <https://unit42.paloaltonetworks.com/unit42-tick-group-continues-attacks/> <https://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html> <https://wikileaks.org/vault7/document/2015-08-20150814-256-CSIR-15005-Stalker-Panda/2015-08-20150814-256-CSIR-15005-Stalker-Panda.pdf>
MITRE ATT&CK	<https://attack.mitre.org/groups/G0060/>
Playbook	<https://pan-unit42.github.io/playbook_viewer/?pb=tick>

Last change to this card: 22 April 2020

Download this actor card in PDF or JSON format

Previous: Bookworm
Next: Buhtrap, Ratopak Spider