The malware used by Tick group in attack intentionally targeting systems running older versions of Microsoft Windows (Microsoft Windows XP or Windows Server 2003) on air-gapped computers that have no internet connectivity.
Palo Alto Networks detected the Tick group targeted a specific type of secure USB drive created by a South Korean defense company. Researchers believe it is not an active campaign and the Tick group used the malware a couple of years before.
Tick Group Infection Process
Tick group uses a customized malware dubbed SymonLoader that specifically targets Windows XP and Windows Server 2003 systems only. SymonLoader monitors the storage of the compromised system, if the malware detects infected USB drives then it loads malicious files using APIs.
“We do not currently have either a compromised USB drive nor the unknown malicious file we believe is implanted on these devices. Because of this, we are unable to describe the full attack sequence.”
The group is well-known for conducting various attack campaigns with custom malware such as Minzen, Datper, Nioupale (aka Daserf), and HomamDownloader.
The trick group uses Trojanized legitimate applications in their campaigns, with July 2017 campaign the group used legitimate Trojanized Korean language software, in January 2018 they used trojanized version of Japanese language GO game.
The SymonLoader technique is uncommon, it attempts to extract and install an unknown hidden payload from a specific type of secure USB drive when it’s plugged into a compromised system.
Palo Alto Networks published full analysis report including the IoCs associated with the incident.