Cyber Incident Victim: LIG Nex1
Date:
Sep 2012
Location:
South Korea
Summary
The Tick cyberespionage group targeted a South Korean defense contractor by weaponizing secure USB drives certified under national security guidelines, aiming to compromise air-gapped systems. Attackers deployed trojanized legitimate software, including Korean-language industrial utilities and a Japanese GO game, to deliver SymonLoader malware, which specifically exploited outdated Windows XP and Server 2003 systems. Upon infection, SymonLoader monitored for the insertion of proprietary secure USB devices, using direct storage access via vendor-specific drivers to extract and execute hidden malicious payloads from predetermined sectors on the drives. This technique facilitated data extraction or further malware deployment in isolated networks by bypassing conventional file system controls, leveraging physical media as an infection vector between disconnected systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Tick cyberespionage group, known for targeting organizations in Japan and South Korea, conducted a campaign involving weaponized secure USB drives to compromise air-gapped systems. Between 2012 and 2018, the group deployed Trojanized legitimate software—including Korean-language industrial battery monitoring tools, storage encryption applications, and a Japanese GO game—to deliver malware onto victim systems. These applications installed either HomamDownloader (a known Tick malware) or a new loader called SymonLoader, which shared code with HomamDownloader. SymonLoader specifically targeted systems running outdated Windows XP or Windows Server 2003 operating systems, checking for these versions upon execution. Once active, it monitored for removable storage devices, excluding CD-ROMs and floppy drives (drive letters A/B), and used custom SCSI commands to identify USB drives manufactured by a specific South Korean defense contractor. These drives were ITSCC-certified for use in government, military, and critical infrastructure environments under South Korea’s secure USB guidelines.
Upon detecting a targeted USB drive, SymonLoader employed Logical Block Addressing (LBA) to read hidden data from predefined physical sectors on the device, bypassing standard file system APIs. It extracted an encrypted payload from sectors N-3 to N-4 of the drive, decrypted it, and saved the file to the host’s temporary directory for execution. The malware also wrote the compromised system’s hostname and local time to sector N-2 of the USB drive. Palo Alto Networks researchers confirmed the attack chain but lacked samples of the compromised USB drives or the final payload, leaving the full infection sequence and initial USB compromise method (supply-chain vs. post-manufacturing tampering) undetermined. The campaign’s focus on air-gapped systems—common in high-security environments with limited update capabilities—highlighted the exploitation of outdated software and physical media dependencies. Palo Alto Networks’ WildFire platform detected all malware samples, Traps provided endpoint protection, and AutoFocus tracked related indicators under the SymonLoader and HomamDownloader tags. No active campaigns involving this malware were observed at the time of reporting.