MITRE ATT&CK - Преступная группа BlackTech

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

BlackTech

BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.(Citation: TrendMicro BlackTech June 2017)(Citation: Symantec Palmerworm Sep 2020)(Citation: Reuters Taiwan BlackTech August 2020)

ID: G0098

Associated Groups: Palmerworm

Version: 2.0

Created: 05 May 2020

Last Modified: 06 Apr 2022

Name	Description
Associated Group Descriptions
Palmerworm	(Citation: Symantec Palmerworm Sep 2020)(Citation: IronNet BlackTech Oct 2021)

Domain	ID		Name	Use
Techniques Used
Enterprise	T1574	.002	Hijack Execution Flow: DLL Side-Loading	BlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories.(Citation: Trend Micro Waterbear December 2019)
Enterprise	T1036	.002	Masquerading: Right-to-Left Override	BlackTech has used right-to-left-override to obfuscate the filenames of malicious e-mail attachments.(Citation: TrendMicro BlackTech June 2017)
Enterprise	T1588	.002	Obtain Capabilities: Tool	BlackTech has obtained and used tools such as Putty, SNScan, and PsExec for its operations.(Citation: Symantec Palmerworm Sep 2020)
		.003	Obtain Capabilities: Code Signing Certificates	BlackTech has used stolen code-signing certificates for its malicious payloads.(Citation: Symantec Palmerworm Sep 2020)
		.004	Obtain Capabilities: Digital Certificates	BlackTech has used valid, stolen digital certificates for some of their malware and tools.(Citation: ESET PLEAD Malware July 2018)
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	BlackTech has used spearphishing e-mails with malicious password-protected archived files (ZIP or RAR) to deliver malware.(Citation: TrendMicro BlackTech June 2017)(Citation: NTT Security Flagpro new December 2021)
		.002	Phishing: Spearphishing Link	BlackTech has used spearphishing e-mails with links to cloud services to deliver malware.(Citation: TrendMicro BlackTech June 2017)
Enterprise	T1021	.004	Remote Services: SSH	BlackTech has used Putty for remote access.(Citation: Symantec Palmerworm Sep 2020)
Enterprise	T1204	.001	User Execution: Malicious Link	BlackTech has used e-mails with malicious links to lure victims into installing malware.(Citation: TrendMicro BlackTech June 2017)
		.002	User Execution: Malicious File	BlackTech has used e-mails with malicious documents to lure victims into installing malware.(Citation: TrendMicro BlackTech June 2017)(Citation: NTT Security Flagpro new December 2021)

ID	Name	References	Techniques
Software
S0696	Flagpro	(Citation: Flagpro ) (Citation: NTT Security Flagpro new December 2021)	Standard Encoding, Application Window Discovery, Scheduled Transfer, System Language Discovery, Visual Basic, Windows Command Shell, Obfuscated Files or Information, Data from Local System, Masquerading, Malicious File, Ingress Tool Transfer, Registry Run Keys / Startup Folder, Web Protocols, Remote System Discovery, Local Groups, Exfiltration Over C2 Channel, System Owner/User Discovery, Network Share Discovery, System Network Configuration Discovery, Native API, Spearphishing Attachment, Indicator Removal, System Network Connections Discovery, Process Discovery
S0436	TSCookie	(Citation: JPCert BlackTech Malware September 2019) (Citation: JPCert PLEAD Downloader June 2018) (Citation: JPCert TSCookie March 2018)	Windows Command Shell, Process Discovery, Ingress Tool Transfer, Non-Application Layer Protocol, Web Protocols, Process Injection, Deobfuscate/Decode Files or Information, Credentials from Web Browsers, File and Directory Discovery, Proxy, Symmetric Cryptography, System Network Configuration Discovery, Malicious Link
S0437	Kivars	(Citation: Symantec Palmerworm Sep 2020) (Citation: TrendMicro BlackTech June 2017)	File Deletion, File and Directory Discovery, Keylogging, Hidden Window, Screen Capture, Ingress Tool Transfer, Remote Services
S0435	PLEAD	(Citation: JPCert PLEAD Downloader June 2018) (Citation: JPCert TSCookie March 2018) (Citation: Symantec Palmerworm Sep 2020) (Citation: Trend Micro PLEAD RTLO) (Citation: Trend Micro Waterbear December 2019) (Citation: TrendMicro BlackTech June 2017)	Web Protocols, Windows Command Shell, Credentials from Password Stores, Proxy, Malicious File, File and Directory Discovery, Junk Data, Ingress Tool Transfer, File Deletion, Malicious Link, Native API, Process Discovery, Application Window Discovery, Symmetric Cryptography, Credentials from Web Browsers
S0579	Waterbear	(Citation: Trend Micro Waterbear December 2019)	DLL Side-Loading, Thread Execution Hijacking, Process Injection, Ingress Tool Transfer, Modify Registry, Deobfuscate/Decode Files or Information, Obfuscated Files or Information, System Network Connections Discovery, Query Registry, Security Software Discovery, Process Discovery, Indicator Blocking, Native API, Indicator Removal from Tools
S0029	PsExec	(Citation: Russinovich Sysinternals) (Citation: SANS PsExec) (Citation: Symantec Palmerworm Sep 2020)	SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

BlackTech

Associated Group Descriptions

Techniques Used

Software

References