1. Home
  2. Groups
  3. BlackTech

BlackTech

BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.[1][2][3]

ID: G0098
Associated Groups: Palmerworm
Contributors: Tatsuya Daitoku, Cyber Defense Institute, Inc.; Hannah Simes, BT Security
Version: 2.0
Created: 05 May 2020
Last Modified: 06 April 2022

Associated Group Descriptions

Name Description
Palmerworm

[2][4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .002 伪装: Right-to-Left Override

BlackTech has used right-to-left-override to obfuscate the filenames of malicious e-mail attachments.[1]
Enterprise T1190 利用公开应用程序漏洞

BlackTech has exploited a buffer overflow vulnerability in Microsoft Internet Information Services (IIS) 6.0, CVE-2017-7269, in order to establish a new HTTP or command and control (C2) server.[1]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

BlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories.[5]

Enterprise T1203 客户端执行漏洞利用

BlackTech has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities CVE-2012-0158, CVE-2014-6352, CVE-2017-0199, and Adobe Flash CVE-2015-5119.[1]
Enterprise T1106 本机API

BlackTech has used built-in API functions.[4]
Enterprise T1204 .001 用户执行: Malicious Link

BlackTech has used e-mails with malicious links to lure victims into installing malware.[1]

.002 用户执行: Malicious File

BlackTech has used e-mails with malicious documents to lure victims into installing malware.[1][6]

Enterprise T1046 网络服务发现

BlackTech has used the SNScan tool to find other potential targets on victim networks.[2]
Enterprise T1588 .002 获取能力: Tool

BlackTech has obtained and used tools such as Putty, SNScan, and PsExec for its operations.[2]
.003 获取能力: Code Signing Certificates

BlackTech has used stolen code-signing certificates for its malicious payloads.[2]
.004 获取能力: Digital Certificates

BlackTech has used valid, stolen digital certificates for some of their malware and tools.[7]
Enterprise T1021 .004 远程服务: SSH

BlackTech has used Putty for remote access.[2]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

BlackTech has used spearphishing e-mails with malicious password-protected archived files (ZIP or RAR) to deliver malware.[1][6]
.002 钓鱼: Spearphishing Link

BlackTech has used spearphishing e-mails with links to cloud services to deliver malware.[1]

Software

ID Name References Techniques
S0696 Flagpro [6] 从本地系统获取数据, 伪装, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 应用窗口发现, 数据编码: Standard Encoding, 本机API, 权限组发现: Local Groups, 混淆文件或信息, 用户执行: Malicious File, 移除指标, 系统位置发现: System Language Discovery, 系统所有者/用户发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 输入工具传输, 进程发现, 远程系统发现, 通过C2信道渗出, 钓鱼: Spearphishing Attachment, 预定传输
S0437 Kivars [1][2] 屏幕捕获, 文件和目录发现, 移除指标: File Deletion, 输入工具传输, 输入捕获: Keylogging, 远程服务, 隐藏伪装: Hidden Window
S0435 PLEAD [1][8][5][2] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 代理, 加密通道: Symmetric Cryptography, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 应用窗口发现, 数据混淆: Junk Data, 文件和目录发现, 本机API, 用户执行: Malicious File, 用户执行: Malicious Link, 移除指标: File Deletion, 输入工具传输, 进程发现
S0029 PsExec [2] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares
S0436 TSCookie [9] 从密码存储中获取凭证: Credentials from Web Browsers, 代理, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 文件和目录发现, 用户执行: Malicious Link, 系统网络配置发现, 输入工具传输, 进程发现, 进程注入, 非应用层协议
S0579 Waterbear [5] 修改注册表, 劫持执行流: DLL Side-Loading, 反混淆/解码文件或信息, 妨碍防御: Indicator Blocking, 本机API, 查询注册表, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Indicator Removal from Tools, 系统网络连接发现, 软件发现: Security Software Discovery, 输入工具传输, 进程发现, 进程注入: Thread Execution Hijacking, 进程注入

References

  1. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  2. Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022.
  3. Lee, Y. (2020, August 19). Taiwan says China behind cyberattacks on government agencies, emails. Retrieved April 6, 2022.
  4. Demboski, M., et al. (2021, October 26). China cyber attacks: the current threat landscape. Retrieved March 25, 2022.
  5. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
  1. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
  2. Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign. Retrieved May 6, 2020.
  3. Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
  4. Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.