1. Home
  2. Groups
  3. BlackTech

BlackTech

BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.[1][2][3]

ID: G0098
Associated Groups: Palmerworm
Contributors: Tatsuya Daitoku, Cyber Defense Institute, Inc.; Hannah Simes, BT Security
Version: 2.0
Created: 05 May 2020
Last Modified: 06 April 2022

Associated Group Descriptions

Name Description
Palmerworm

[2][4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1190 Exploit Public-Facing Application

BlackTech has exploited a buffer overflow vulnerability in Microsoft Internet Information Services (IIS) 6.0, CVE-2017-7269, in order to establish a new HTTP or command and control (C2) server.[1]
Enterprise T1203 Exploitation for Client Execution

BlackTech has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities CVE-2012-0158, CVE-2014-6352, CVE-2017-0199, and Adobe Flash CVE-2015-5119.[1]
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

BlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories.[5]

Enterprise T1036 .002 Masquerading: Right-to-Left Override

BlackTech has used right-to-left-override to obfuscate the filenames of malicious e-mail attachments.[1]
Enterprise T1106 Native API

BlackTech has used built-in API functions.[4]
Enterprise T1046 Network Service Discovery

BlackTech has used the SNScan tool to find other potential targets on victim networks.[2]
Enterprise T1588 .002 Obtain Capabilities: Tool

BlackTech has obtained and used tools such as Putty, SNScan, and PsExec for its operations.[2]
.003 Obtain Capabilities: Code Signing Certificates

BlackTech has used stolen code-signing certificates for its malicious payloads.[2]
.004 Obtain Capabilities: Digital Certificates

BlackTech has used valid, stolen digital certificates for some of their malware and tools.[6]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

BlackTech has used spearphishing e-mails with malicious password-protected archived files (ZIP or RAR) to deliver malware.[1][7]
.002 Phishing: Spearphishing Link

BlackTech has used spearphishing e-mails with links to cloud services to deliver malware.[1]
Enterprise T1021 .004 Remote Services: SSH

BlackTech has used Putty for remote access.[2]
Enterprise T1204 .001 User Execution: Malicious Link

BlackTech has used e-mails with malicious links to lure victims into installing malware.[1]

.002 User Execution: Malicious File

BlackTech has used e-mails with malicious documents to lure victims into installing malware.[1][7]

Software

ID Name References Techniques
S0696 Flagpro [7] Application Layer Protocol: Web Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Data from Local System, Exfiltration Over C2 Channel, Indicator Removal on Host, Ingress Tool Transfer, Masquerading, Native API, Network Share Discovery, Obfuscated Files or Information, Permission Groups Discovery: Local Groups, Phishing: Spearphishing Attachment, Process Discovery, Remote System Discovery, Scheduled Transfer, System Location Discovery: System Language Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, User Execution: Malicious File
S0437 Kivars [1][2] File and Directory Discovery, Hide Artifacts: Hidden Window, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Remote Services, Screen Capture
S0435 PLEAD [1][8][5][2] Application Layer Protocol: Web Protocols, Application Window Discovery, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Data Obfuscation: Junk Data, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Native API, Process Discovery, Proxy, User Execution: Malicious File, User Execution: Malicious Link
S0029 PsExec [2] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0436 TSCookie [9] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Ingress Tool Transfer, Non-Application Layer Protocol, Process Discovery, Process Injection, Proxy, System Network Configuration Discovery, User Execution: Malicious Link
S0579 Waterbear [5] Deobfuscate/Decode Files or Information, Hijack Execution Flow: DLL Side-Loading, Impair Defenses: Indicator Blocking, Ingress Tool Transfer, Modify Registry, Native API, Obfuscated Files or Information, Obfuscated Files or Information: Indicator Removal from Tools, Process Discovery, Process Injection, Process Injection: Thread Execution Hijacking, Query Registry, Software Discovery: Security Software Discovery, System Network Connections Discovery

References

  1. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  2. Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022.
  3. Lee, Y. (2020, August 19). Taiwan says China behind cyberattacks on government agencies, emails. Retrieved April 6, 2022.
  4. Demboski, M., et al. (2021, October 26). China cyber attacks: the current threat landscape. Retrieved March 25, 2022.
  5. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
  1. Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign. Retrieved May 6, 2020.
  2. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
  3. Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
  4. Tomonaga, S.. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.