A cyberespionage group called Bronze Butler has been targeting Japanese firms since 2012. However, there is not much information about the current activity of this group.
Counter Threat Unit Research Team at SecureWorks (a subsidiary of Dell Technologies), provides the most recent information about the cyberespionage group, also known as Tick, in the latest report:
In the past 12 months, we investigated several intrusions carried out by the Bronze Butler threat group at various Japanese organizations. The group’s activities have largely remained undetected since at least 2012, but it has likely been active for much longer.
Bronze Bulter is said to have been operating out of the People’s Republic of China. The cyberespionage group also has concentrated on withdrawing confidential information from businesses in Japan. These targeted enterprises mostly operated in heavy industry, critical infrastructure, manufacturing industries, and even in international relations.
Researchers at SecureWorks discover various methods and techniques used by Bronze Butler. The group increased its skill set in order to exploit zero-days, develop malicious software tools and apply a desktop management tool which was used by Japanese sysadmins.
There is not much known about Bronze Butler – the group is potentially residing in China and targeting Japan enterprises. In addition, researchers add that the group used to apply phishing, zero-day exposures and strategic web infections to infiltrate systems.
The group has used phishing emails with Flash animation attachments to download and execute (customized) malware, and has also leveraged Flash exploits for strategic web compromises attacks.
Bronze Butler was detected to leverage an Adobe Flash zero-day exposure in SKYSEA Client View, well-known corporate desktop management tool in Japan.
The fact that this threat group could discover and weaponize a vulnerability in a popular regional IT product, gives further insight into the group’s capability and certainly their dedication to successfully compromising their target victims.
The research team at SecureWorks also adds that the group is able to develop and deploy malware tools, such as Daserf. The Daserf malware works as a backdoor which provides adversaries a remote layer to manage commands, install information, upload data, log keystrokes and take screenshots.
In addition, the cyberespionage group has developed two variants of Daserf. Daserf was changed to remote access Trojans xxmm and Datper, according to Kaspersky Lab.
In addition, Paloalto Networks also published the study on Bronze Butler by security expert Kaoru Hayashi. According to K. Hayashi, Daserf has been detected to distribute infrastructure with backdoor malware Minzel, Gh0st RAT and 9002 RAT together with HomamDownloader.
Interestingly, the cyberespionage group targets sensitive business data:
The focus on intellectual property, product details, and corporate information suggests that the group seeks information that they believe might be of value to competing organizations”. It is also believed that the group has multiple goals.
Counter Threat Unit Research Team adds: “The extent of the group’s activities is probably still to be fully realized, so we assess that Bronze Butler is still an active and very capable component of the threat landscape.”