🇨🇳

BlackTech

APT Group Information theft and espionage ETDA ✓

Also Known As 11 names

CIRCUIT PANDA Canary Typhoon Earth Hundun G0098 HUAPI Manga Taurus Mobwork Palmerworm Red Djinn T-APT-03 Temp.Overboard

Target Countries 6

Countries highlighted in red

Canada China Hong Kong Japan Province of China Taiwan United States

Sectors Targeted

Technology Government Construction Pharmaceutical and Medicine Manufacturing 32541 Healthcare Promoters of Performing Arts, Sports, and Similar Events 7113 Media Grantmaking and Giving Services 8132 Telephone Apparatus Manufacturing 33421 Translation and Interpretation Services 54193 Computer Systems Design and Related Services 54151 Financial

Details

Origin 🇨🇳 CN

Last Updated 01 Jun 2022

Malware Families 8

bifrose

TSCookieRAT

bifrost

bluether

selfmake

hipid

spider_rat

icondown

MITRE ATT&CK 29

T1021 T1021.004 T1027 - Obfuscated Files or Information T1036 T1036.002 T1046 T1055 - Process Injection T1057 - Process Discovery T1071 T1071.001 - Web Protocols T1106 T1189 T1190 T1203 T1204 T1204.001 T1204.002 T1486 T1543.003 - Windows Service T1566 T1566.001 T1566.002 T1574 T1574.001 T1583 - Acquire Infrastructure T1588 T1588.002 T1588.003 T1588.004

Related Zero-Days

No zero-day CVE linked to this actor

Known Names 11 entries

BlackTech Trend Micro

Circuit Panda CrowdStrike

Radio Panda CrowdStrike

Palmerworm Symantec

TEMP.Overboard FireEye

T-APT-03 Tencent

Red Djinn PWC

Manga Taurus Palo Alto

Earth Hundun Trend Micro

Canary Typhoon Microsoft

G0098 MITRE

Observed Target Countries 5

Based on ETDA data — countries highlighted in red

China Hong Kong Japan Taiwan USA

Description

(Trend Micro) BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology. Following their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns: PLEAD, Shrouded Crossbow, and of late, Waterbear.

Tools Used 11

BendyBear BIFROST Bluether DRIGO Flagpro Gh0stTimes IconDown KIVARS PLEAD XBOW Living off the Land

Operations 9

2010 Operation “Shrouded Crossbow” This campaign, first observed in 2010, is believed to be operated by a well-funded group given how it appeared to have purchased the source code of the BIFROST backdoor, which the operators enhanced and created other tools from. Shrouded Crossbow targeted privatized agencies and government contractors as well as enterprises in the consumer electronics, computer, healthcare, and financial industries. https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/

2012 Operation “PLEAD” PLEAD is an information theft campaign with a penchant for confidential documents. Active since 2012, it has so far targeted Taiwanese government agencies and private organizations.

2014 Operation “Waterbear” Waterbear has actually been operating for a long time. The campaign’s name is based on its malware’s capability to equip additional functions remotely.

2018-07 ESET researchers have discovered a new malware campaign misusing stolen digital certificates. We spotted this malware campaign when our systems marked several files as suspicious. Interestingly, the flagged files were digitally signed using a valid D-Link Corporation code-signing certificate. The exact same certificate had been used to sign non-malicious D-Link software; therefore, the certificate was likely stolen. https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/

2019-04 At the end of April 2019, ESET researchers utilizing ESET telemetry observed multiple attempts to deploy Plead malware in an unusual way. Specifically, the Plead backdoor was created and executed by a legitimate process named AsusWSPanel.exe. This process belongs to the Windows client for a cloud storage service called ASUS WebStorage. https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/

2019-12 […] in one of its recent campaigns, we’ve discovered a piece of Waterbear payload with a brand-new purpose: hiding its network behaviors from a specific security product by API hooking techniques. In our analysis, we have discovered that the security vendor is APAC-based, which is consistent with BlackTech’s targeted countries. https://blog.trendmicro.com/trendlabs-security-intelligence/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection/

2020 The addition of a US target to this campaign suggests the group is expanding campaigns to embrace a wider, more geographically diverse set of targets in their quest to steal information – although the full motivations remain unclear. https://www.zdnet.com/article/these-hackers-have-spent-months-hiding-out-in-company-networks-undetected/

2020-08 BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/

2020-10 Flagpro: The new malware used by BlackTech https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech

Reports & References 3

https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/ https://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html https://www.trendmicro.com/en_us/research/24/e/earth-hundun-2.html

ETDA Profile

BlackTech, Circuit Panda, Radio Panda

Origin

China

First Seen 2010

Sponsor State-sponsored

Motivation

Information theft and espionage

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0098/

View on ETDA APT Groups ↗