Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа BlackTech
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
BlackTech
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

BlackTech

BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.(Citation: TrendMicro BlackTech June 2017)(Citation: Symantec Palmerworm Sep 2020)(Citation: Reuters Taiwan BlackTech August 2020)
ID: G0098
Associated Groups: Palmerworm
Version: 2.0
Created: 05 May 2020
Last Modified: 06 Apr 2022

Associated Group Descriptions
Name Description
Palmerworm (Citation: Symantec Palmerworm Sep 2020)(Citation: IronNet BlackTech Oct 2021)

Techniques Used
Domain ID Name Use
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

BlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories.(Citation: Trend Micro Waterbear December 2019)

Enterprise T1036 .002 Masquerading: Right-to-Left Override

BlackTech has used right-to-left-override to obfuscate the filenames of malicious e-mail attachments.(Citation: TrendMicro BlackTech June 2017)
Enterprise T1588 .002 Obtain Capabilities: Tool

BlackTech has obtained and used tools such as Putty, SNScan, and PsExec for its operations.(Citation: Symantec Palmerworm Sep 2020)
.003 Obtain Capabilities: Code Signing Certificates

BlackTech has used stolen code-signing certificates for its malicious payloads.(Citation: Symantec Palmerworm Sep 2020)

.004 Obtain Capabilities: Digital Certificates

BlackTech has used valid, stolen digital certificates for some of their malware and tools.(Citation: ESET PLEAD Malware July 2018)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

BlackTech has used spearphishing e-mails with malicious password-protected archived files (ZIP or RAR) to deliver malware.(Citation: TrendMicro BlackTech June 2017)(Citation: NTT Security Flagpro new December 2021)
.002 Phishing: Spearphishing Link

BlackTech has used spearphishing e-mails with links to cloud services to deliver malware.(Citation: TrendMicro BlackTech June 2017)

Enterprise T1021 .004 Remote Services: SSH

BlackTech has used Putty for remote access.(Citation: Symantec Palmerworm Sep 2020)
Enterprise T1204 .001 User Execution: Malicious Link

BlackTech has used e-mails with malicious links to lure victims into installing malware.(Citation: TrendMicro BlackTech June 2017)

.002 User Execution: Malicious File

BlackTech has used e-mails with malicious documents to lure victims into installing malware.(Citation: TrendMicro BlackTech June 2017)(Citation: NTT Security Flagpro new December 2021)

Software
ID Name References Techniques
S0696 Flagpro (Citation: Flagpro ) (Citation: NTT Security Flagpro new December 2021) Standard Encoding, Application Window Discovery, Scheduled Transfer, System Language Discovery, Visual Basic, Windows Command Shell, Obfuscated Files or Information, Data from Local System, Masquerading, Malicious File, Ingress Tool Transfer, Registry Run Keys / Startup Folder, Web Protocols, Remote System Discovery, Local Groups, Exfiltration Over C2 Channel, System Owner/User Discovery, Network Share Discovery, System Network Configuration Discovery, Native API, Spearphishing Attachment, Indicator Removal, System Network Connections Discovery, Process Discovery
S0436 TSCookie (Citation: JPCert BlackTech Malware September 2019) (Citation: JPCert PLEAD Downloader June 2018) (Citation: JPCert TSCookie March 2018) Windows Command Shell, Process Discovery, Ingress Tool Transfer, Non-Application Layer Protocol, Web Protocols, Process Injection, Deobfuscate/Decode Files or Information, Credentials from Web Browsers, File and Directory Discovery, Proxy, Symmetric Cryptography, System Network Configuration Discovery, Malicious Link
S0437 Kivars (Citation: Symantec Palmerworm Sep 2020) (Citation: TrendMicro BlackTech June 2017) File Deletion, File and Directory Discovery, Keylogging, Hidden Window, Screen Capture, Ingress Tool Transfer, Remote Services
S0435 PLEAD (Citation: JPCert PLEAD Downloader June 2018) (Citation: JPCert TSCookie March 2018) (Citation: Symantec Palmerworm Sep 2020) (Citation: Trend Micro PLEAD RTLO) (Citation: Trend Micro Waterbear December 2019) (Citation: TrendMicro BlackTech June 2017) Web Protocols, Windows Command Shell, Credentials from Password Stores, Proxy, Malicious File, File and Directory Discovery, Junk Data, Ingress Tool Transfer, File Deletion, Malicious Link, Native API, Process Discovery, Application Window Discovery, Symmetric Cryptography, Credentials from Web Browsers
S0579 Waterbear (Citation: Trend Micro Waterbear December 2019) DLL Side-Loading, Thread Execution Hijacking, Process Injection, Ingress Tool Transfer, Modify Registry, Deobfuscate/Decode Files or Information, Obfuscated Files or Information, System Network Connections Discovery, Query Registry, Security Software Discovery, Process Discovery, Indicator Blocking, Native API, Indicator Removal from Tools
S0029 PsExec (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) (Citation: Symantec Palmerworm Sep 2020) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  2. Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
  3. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
  4. Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022.
  5. Demboski, M., et al. (2021, October 26). China cyber attacks: the current threat landscape. Retrieved March 25, 2022.
  6. Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
  7. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
  8. Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign. Retrieved May 6, 2020.
  9. Lee, Y. (2020, August 19). Taiwan says China behind cyberattacks on government agencies, emails. Retrieved April 6, 2022.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.