BLACKCOFFEE

BLACKCOFFEE is malware that has been used by several Chinese groups since at least 2013. [1] [2]

ID: S0069
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

BLACKCOFFEE has the capability to create a reverse shell.[1]

Enterprise T1083 File and Directory Discovery

BLACKCOFFEE has the capability to enumerate files.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

BLACKCOFFEE has the capability to delete files.[1]

Enterprise T1104 Multi-Stage Channels

BLACKCOFFEE uses Microsoft’s TechNet Web portal to obtain an encoded tag containing the IP address of a command and control server and then communicates separately with that IP address for C2. If the C2 server is discovered or shut down, the threat actors can update the encoded IP address on TechNet to maintain control of the victims’ machines.[1]

Enterprise T1057 Process Discovery

BLACKCOFFEE has the capability to discover processes.[1]

Enterprise T1102 .001 Web Service: Dead Drop Resolver

BLACKCOFFEE uses Microsoft’s TechNet Web portal to obtain a dead drop resolver containing an encoded tag with the IP address of a command and control server.[1][2]

.002 Web Service: Bidirectional Communication

BLACKCOFFEE has also obfuscated its C2 traffic as normal traffic to sites such as Github.[1][2]

Groups That Use This Software

ID Name References
G0065 Leviathan

[2]

G0096 APT41

[3]

G0025 APT17

[1]

References