Threat Actor BlackTech

 







About

 Advanced Persistent Threat BlackTech is China linked cyber espionage group. They have targeted many organizations working with the U.S, and Japan militaries to steal sensitive information. They are also capable of modifying router firmware, deploying backdoors in victims' networks, and moving laterally between the networks while evading detection.

First appeared in 2010, BlackTech make use of various malwares to affect Windows, Linux, and FreeBSD and updates them regularly. With the help of stolen code signing certificates, adversaries sign the malware to make them appear legitimate and avoid their victims' defense mechanisms. The threat actor can also blend in benign operating systems and network activities via Living-off-the-Land tools as well as techniques. 

However, their most dangerous technique is modifying router firmware without detection. This sophisticated technique helps in establishing persistence, disable logging, move laterally, and hide their C2 communication. 

Tools used by BlackTech

BlackTech make use of several custom malware and remote access tools (RATs):
  • BendyBear- It is a type of Shellcode loader. They are used to load and execute malicious code (Shellcode) onto a compromised system. BendyBear uses polymorphic code and operates entirely on memory to evade detection. These features significantly hinders malware analysis.

  • Bifrose- This notorious backdoor was discovered in 2004. It mainly uses Remote Access Trojan (RAT), allowing an attacker to remotely control an infected machine without the user's knowledge or consent. It can grant unauthorized access to an attacker and reverse connection capability to bypass firewall restrictions. 

  • BTSDoor- This backdoor malware is developed by BlackTech. It can be easily delivered via spear phishing emails containing malicious attachments. It establishes a covert communication channel with the C2 server and steals sensitive data, disrupt operations, and establish persistence. 

  • FakeDead (aka TSCookie) & FrontShell- It is an infostealer and loader malware. After getting infected by TSCookie, the malware downloads and executes a remote access trojan TSCookieRAT to establish persistence. It can be used for credential theft, data exfiltration, and deploying additional malware. 

  • FlagPro- It is a first-stage downloader designed to infiltrate and compromise Windows systems. FlagPro collects information from a compromised host and sends it to an adversary controlled C2 server. It can also execute commands and install additional malware. 

  • IconDown- It is a downloader malware used to abuse Windows shortcut files and deploy malicious payloads. It can easily bypass the traditional antivirus solutions and can become an initial stage of a larger cyber attack campaign. 

  • PLEAD- It is a modular remote access trojan used to exfiltrate sensitive documents and information from compromised systems. It is often used for credential theft, lateral movement, C2 communication, and data exfiltration. 

  • WaterBear- It is a modular malware that consists of a particular set of expandable functionalities. It can easily reside in the boot sector of a computer and is more resistant to the typical removal techniques. It can steal data and move laterally within the victim's environment.

Prevention

In order to overcome such attacks a highly advanced cybersecurity program must be utilized. It should also contain some of the most advanced security solutions, email as well as web content filtering, antiviruses, and threat hunting measures. Application of Zero Trust Model, Multifactor Authentication, in-depth defense, etc., are a must to prevent and mitigate the potential damage done by BlackTech.




































Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Design Planning (Part 3)