1. Home
  2. Groups
  3. BlackTech

BlackTech

BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong.[1]

ID: G0098
Contributors: Tatsuya Daitoku, Cyber Defense Institute, Inc.
Version: 1.1
Created: 05 May 2020
Last Modified: 20 April 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1190 Exploit Public-Facing Application

BlackTech has exploited a buffer overflow vulnerability in Microsoft Internet Information Services (IIS) 6.0, CVE-2017-7269, in order to establish a new HTTP or command and control (C2) server.[1]
Enterprise T1203 Exploitation for Client Execution

BlackTech has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities CVE-2012-0158, CVE-2014-6352, CVE-2017-0199, and Adobe Flash CVE-2015-5119.
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

BlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories.[2]

Enterprise T1036 .002 Masquerading: Right-to-Left Override

BlackTech has used right-to-left-override to obfuscate the filenames of malicious e-mail attachments.[1]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

BlackTech has used spearphishing e-mails with malicious documents to deliver malware.[1]
.002 Phishing: Spearphishing Link

BlackTech has used spearphishing e-mails with links to cloud services to deliver malware.[1]
Enterprise T1204 .001 User Execution: Malicious Link

BlackTech has used e-mails with malicious links to lure victims into installing malware.[1]

.002 User Execution: Malicious File

BlackTech has used e-mails with malicious documents to lure victims into installing malware.[1]

Software

ID Name References Techniques
S0437 Kivars [1] File and Directory Discovery, Hide Artifacts: Hidden Window, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Remote Services, Screen Capture
S0435 PLEAD [1][3][2] Application Layer Protocol: Web Protocols, Application Window Discovery, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Data Obfuscation: Junk Data, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Process Discovery, Proxy, User Execution: Malicious File, User Execution: Malicious Link
S0436 TSCookie [4] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Ingress Tool Transfer, Non-Application Layer Protocol, Process Discovery, Process Injection, Proxy, System Network Configuration Discovery, User Execution: Malicious Link
S0579 Waterbear [2] Deobfuscate/Decode Files or Information, Hijack Execution Flow: DLL Side-Loading, Impair Defenses: Indicator Blocking, Ingress Tool Transfer, Native API, Obfuscated Files or Information, Obfuscated Files or Information: Indicator Removal from Tools, Process Discovery, Process Injection, Process Injection: Thread Execution Hijacking, Query Registry, Software Discovery: Security Software Discovery, System Network Connections Discovery

References

  1. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  2. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
  1. Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
  2. Tomonaga, S.. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.