BlackTech

BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.[1][2][3]

ID: G0098
Associated Groups: Palmerworm
Contributors: Tatsuya Daitoku, Cyber Defense Institute, Inc.; Hannah Simes, BT Security
Version: 2.0
Created: 05 May 2020
Last Modified: 06 April 2022

Associated Group Descriptions

Name Description
Palmerworm

[2][4]

Techniques Used

Domain ID Name Use
Enterprise T1190 Exploit Public-Facing Application

BlackTech has exploited a buffer overflow vulnerability in Microsoft Internet Information Services (IIS) 6.0, CVE-2017-7269, in order to establish a new HTTP or command and control (C2) server.[1]

Enterprise T1203 Exploitation for Client Execution

BlackTech has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities CVE-2012-0158, CVE-2014-6352, CVE-2017-0199, and Adobe Flash CVE-2015-5119.[1]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

BlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories.[5]

Enterprise T1036 .002 Masquerading: Right-to-Left Override

BlackTech has used right-to-left-override to obfuscate the filenames of malicious e-mail attachments.[1]

Enterprise T1106 Native API

BlackTech has used built-in API functions.[4]

Enterprise T1046 Network Service Discovery

BlackTech has used the SNScan tool to find other potential targets on victim networks.[2]

Enterprise T1588 .002 Obtain Capabilities: Tool

BlackTech has obtained and used tools such as Putty, SNScan, and PsExec for its operations.[2]

.003 Obtain Capabilities: Code Signing Certificates

BlackTech has used stolen code-signing certificates for its malicious payloads.[2]

.004 Obtain Capabilities: Digital Certificates

BlackTech has used valid, stolen digital certificates for some of their malware and tools.[6]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

BlackTech has used spearphishing e-mails with malicious password-protected archived files (ZIP or RAR) to deliver malware.[1][7]

.002 Phishing: Spearphishing Link

BlackTech has used spearphishing e-mails with links to cloud services to deliver malware.[1]

Enterprise T1021 .004 Remote Services: SSH

BlackTech has used Putty for remote access.[2]

Enterprise T1204 .001 User Execution: Malicious Link

BlackTech has used e-mails with malicious links to lure victims into installing malware.[1]

.002 User Execution: Malicious File

BlackTech has used e-mails with malicious documents to lure victims into installing malware.[1][7]

Software

ID Name References Techniques
S0696 Flagpro [7] Application Layer Protocol: Web Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Data from Local System, Exfiltration Over C2 Channel, Indicator Removal on Host, Ingress Tool Transfer, Masquerading, Native API, Network Share Discovery, Obfuscated Files or Information, Permission Groups Discovery: Local Groups, Phishing: Spearphishing Attachment, Process Discovery, Remote System Discovery, Scheduled Transfer, System Location Discovery: System Language Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, User Execution: Malicious File
S0437 Kivars [1][2] File and Directory Discovery, Hide Artifacts: Hidden Window, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Remote Services, Screen Capture
S0435 PLEAD [1][8][5][2] Application Layer Protocol: Web Protocols, Application Window Discovery, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Data Obfuscation: Junk Data, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Native API, Process Discovery, Proxy, User Execution: Malicious File, User Execution: Malicious Link
S0029 PsExec [2] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0436 TSCookie [9] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Ingress Tool Transfer, Non-Application Layer Protocol, Process Discovery, Process Injection, Proxy, System Network Configuration Discovery, User Execution: Malicious Link
S0579 Waterbear [5] Deobfuscate/Decode Files or Information, Hijack Execution Flow: DLL Side-Loading, Impair Defenses: Indicator Blocking, Ingress Tool Transfer, Modify Registry, Native API, Obfuscated Files or Information, Obfuscated Files or Information: Indicator Removal from Tools, Process Discovery, Process Injection, Process Injection: Thread Execution Hijacking, Query Registry, Software Discovery: Security Software Discovery, System Network Connections Discovery

References