ABK Downloader
Tick is the name of an Advanced Persistent Threat (APT) group that specializes in espionage attacks against high-profile targets in different regions. The goal of these hackers appears to be to gain access to classified files and documents in various industries – one of their most significant attacks goes by the name 'Operation ENDTRADE,' and its victims were several large companies in Japan. One of the tools used in this particular campaign is the ABK Downloader, a Trojan downloader that serves the purpose of deploying additional payloads to a host whose security has been compromised.
Most of the group's attacks that involved the ABK Downloader were carried out via phishing emails that were crafted carefully to increase the odds that the recipient would fall for them. Often, these emails had an attached document to them or a download link to a file hosted on an external server. The documents appeared to exploit the vulnerabilities CVE-2018-0802 and CVE-2018-0798, which concern the Microsoft Equation Editor – if the user did not use up-to-date Microsoft Office software, the vulnerabilities could be used to execute remote code that would trigger the ABK Downloader.
Often, APT groups use advanced techniques to evade sandboxes and malware analysis software – they may check for the presence of specific drivers, devices, or processes that are utilized by virtualization software frequently. Tick, on the other hand, has opted to use a different tactic – the payload of the ABK Downloader is increased in size artificially, so it arrives as a file that is above 50MB in size. This number was not chosen randomly – most anti-virus software avoids analyzing files that are not <50MB in size, so this might allow ABK Downloader to avoid automatic detection tools.
Once ABK Downloader is initialized, it would proceed to download a secondary payload that is likely to be chosen based on the type of system infected – in some cases, the Tick hackers used a public Remote Access Trojan, while in other scenarios they resorted to using privately developed Trojan backdoors.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.