Threat Actor BlackTech

By Ashwin Venugopal -

 







About

 Advanced Persistent Threat BlackTech is China linked cyber espionage group. They have targeted many organizations working with the U.S, and Japan militaries to steal sensitive information. They are also capable of modifying router firmware, deploying backdoors in victims' networks, and moving laterally between the networks while evading detection.

First appeared in 2010, BlackTech make use of various malwares to affect Windows, Linux, and FreeBSD and updates them regularly. With the help of stolen code signing certificates, adversaries sign the malware to make them appear legitimate and avoid their victims' defense mechanisms. The threat actor can also blend in benign operating systems and network activities via Living-off-the-Land tools as well as techniques. 

However, their most dangerous technique is modifying router firmware without detection. This sophisticated technique helps in establishing persistence, disable logging, move laterally, and hide their C2 communication. 

Tools used by BlackTech

BlackTech make use of several custom malware and remote access tools (RATs):
  • BendyBear- It is a type of Shellcode loader. They are used to load and execute malicious code (Shellcode) onto a compromised system. BendyBear uses polymorphic code and operates entirely on memory to evade detection. These features significantly hinders malware analysis.

  • Bifrose- This notorious backdoor was discovered in 2004. It mainly uses Remote Access Trojan (RAT), allowing an attacker to remotely control an infected machine without the user's knowledge or consent. It can grant unauthorized access to an attacker and reverse connection capability to bypass firewall restrictions. 

  • BTSDoor- This backdoor malware is developed by BlackTech. It can be easily delivered via spear phishing emails containing malicious attachments. It establishes a covert communication channel with the C2 server and steals sensitive data, disrupt operations, and establish persistence. 

  • FakeDead (aka TSCookie) & FrontShell- It is an infostealer and loader malware. After getting infected by TSCookie, the malware downloads and executes a remote access trojan TSCookieRAT to establish persistence. It can be used for credential theft, data exfiltration, and deploying additional malware. 

  • FlagPro- It is a first-stage downloader designed to infiltrate and compromise Windows systems. FlagPro collects information from a compromised host and sends it to an adversary controlled C2 server. It can also execute commands and install additional malware. 

  • IconDown- It is a downloader malware used to abuse Windows shortcut files and deploy malicious payloads. It can easily bypass the traditional antivirus solutions and can become an initial stage of a larger cyber attack campaign. 

  • PLEAD- It is a modular remote access trojan used to exfiltrate sensitive documents and information from compromised systems. It is often used for credential theft, lateral movement, C2 communication, and data exfiltration. 

  • WaterBear- It is a modular malware that consists of a particular set of expandable functionalities. It can easily reside in the boot sector of a computer and is more resistant to the typical removal techniques. It can steal data and move laterally within the victim's environment.

Prevention

In order to overcome such attacks a highly advanced cybersecurity program must be utilized. It should also contain some of the most advanced security solutions, email as well as web content filtering, antiviruses, and threat hunting measures. Application of Zero Trust Model, Multifactor Authentication, in-depth defense, etc., are a must to prevent and mitigate the potential damage done by BlackTech.




































Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more

Threat Hunting in Microsoft Sentinel (part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Introducing the Microsoft Sentinel Hunting Page Threat hunting is a series activities performed while investigating and as there are no guidelines to perform it, the available tools on the Microsoft Sentinel can be introduced to perform better in your investigations. Firstly, you have to choose the Hunting link in the Microsoft Sentinel navigation menu to get to the Hunting page which is divided into the following sections: The header bar- It is located at the top of the page as usual and contains Refresh as well as timespan drop down menu. The New Query button can help you with creating a new query and the Run all queries button can run all the hunting queries in the background while also updating the hunting query list section with the number of results found.  The summary bar- Here, you can view the total number of queries available to run, the total number of bookmarks, the number of results from running live
Read more