BlackTech
Associated Group Descriptions |
|
Name | Description |
---|---|
Palmerworm | (Citation: Symantec Palmerworm Sep 2020)(Citation: IronNet BlackTech Oct 2021) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
BlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories.(Citation: Trend Micro Waterbear December 2019) |
Enterprise | T1036 | .002 | Masquerading: Right-to-Left Override |
BlackTech has used right-to-left-override to obfuscate the filenames of malicious e-mail attachments.(Citation: TrendMicro BlackTech June 2017) |
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
BlackTech has obtained and used tools such as Putty, SNScan, and PsExec for its operations.(Citation: Symantec Palmerworm Sep 2020) |
.003 | Obtain Capabilities: Code Signing Certificates |
BlackTech has used stolen code-signing certificates for its malicious payloads.(Citation: Symantec Palmerworm Sep 2020) |
||
.004 | Obtain Capabilities: Digital Certificates |
BlackTech has used valid, stolen digital certificates for some of their malware and tools.(Citation: ESET PLEAD Malware July 2018) |
||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
BlackTech has used spearphishing e-mails with malicious password-protected archived files (ZIP or RAR) to deliver malware.(Citation: TrendMicro BlackTech June 2017)(Citation: NTT Security Flagpro new December 2021) |
.002 | Phishing: Spearphishing Link |
BlackTech has used spearphishing e-mails with links to cloud services to deliver malware.(Citation: TrendMicro BlackTech June 2017) |
||
Enterprise | T1021 | .004 | Remote Services: SSH |
BlackTech has used Putty for remote access.(Citation: Symantec Palmerworm Sep 2020) |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
BlackTech has used e-mails with malicious links to lure victims into installing malware.(Citation: TrendMicro BlackTech June 2017) |
.002 | User Execution: Malicious File |
BlackTech has used e-mails with malicious documents to lure victims into installing malware.(Citation: TrendMicro BlackTech June 2017)(Citation: NTT Security Flagpro new December 2021) |
References
- Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
- Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
- Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
- Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022.
- Demboski, M., et al. (2021, October 26). China cyber attacks: the current threat landscape. Retrieved March 25, 2022.
- Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
- Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
- Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign. Retrieved May 6, 2020.
- Lee, Y. (2020, August 19). Taiwan says China behind cyberattacks on government agencies, emails. Retrieved April 6, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.