BlackTech

BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong.[1]

ID: G0098
Contributors: Tatsuya Daitoku, Cyber Defense Institute, Inc.
Version: 1.1
Created: 05 May 2020
Last Modified: 20 April 2021

Techniques Used

Domain ID Name Use
Enterprise T1190 Exploit Public-Facing Application

BlackTech has exploited a buffer overflow vulnerability in Microsoft Internet Information Services (IIS) 6.0, CVE-2017-7269, in order to establish a new HTTP or command and control (C2) server.[1]

Enterprise T1203 Exploitation for Client Execution

BlackTech has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities CVE-2012-0158, CVE-2014-6352, CVE-2017-0199, and Adobe Flash CVE-2015-5119.

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

BlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories.[2]

Enterprise T1036 .002 Masquerading: Right-to-Left Override

BlackTech has used right-to-left-override to obfuscate the filenames of malicious e-mail attachments.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

BlackTech has used spearphishing e-mails with malicious documents to deliver malware.[1]

.002 Phishing: Spearphishing Link

BlackTech has used spearphishing e-mails with links to cloud services to deliver malware.[1]

Enterprise T1204 .001 User Execution: Malicious Link

BlackTech has used e-mails with malicious links to lure victims into installing malware.[1]

.002 User Execution: Malicious File

BlackTech has used e-mails with malicious documents to lure victims into installing malware.[1]

Software

ID Name References Techniques
S0437 Kivars [1] File and Directory Discovery, Hide Artifacts: Hidden Window, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Remote Services, Screen Capture
S0435 PLEAD [1][3][2] Application Layer Protocol: Web Protocols, Application Window Discovery, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Data Obfuscation: Junk Data, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Process Discovery, Proxy, User Execution: Malicious File, User Execution: Malicious Link
S0436 TSCookie [4] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Ingress Tool Transfer, Non-Application Layer Protocol, Process Discovery, Process Injection, Proxy, System Network Configuration Discovery, User Execution: Malicious Link
S0579 Waterbear [2] Deobfuscate/Decode Files or Information, Hijack Execution Flow: DLL Side-Loading, Impair Defenses: Indicator Blocking, Ingress Tool Transfer, Native API, Obfuscated Files or Information, Obfuscated Files or Information: Indicator Removal from Tools, Process Discovery, Process Injection, Process Injection: Thread Execution Hijacking, Query Registry, Software Discovery: Security Software Discovery, System Network Connections Discovery

References