Security news that informs and inspires

BlackTech Espionage Gang Adds to Malware Toolset


BlackTech, a China linked espionage group that is more than a decade old, is bolstering its malware arsenal with new tools, said researchers during a session at VB2021 localhost on Thursday.

Researchers with PwC’s threat intelligence team discovered BlackTech using a downloader called Flagpro and backdoor called BTSDoor in recent spearphishing email attacks. This signifies continued development of the threat group’s toolset, which previously relied on malware like the TSCookie and Plead remote access trojans (RAT) for espionage purposes.

“There definitely is a development effort going on by the threat actor,” Sveva Vittoria Scenarelli, senior analyst in PwC’s threat intelligence team, said on Thursday. “BlackTech is highly likely a China based and espionage motivated actor that looks to steal intellectual property or to gather information about the activities of companies that align with activities relevant to Chinese strategic interests.”

BlackTech has been around since at least 2010, but since 2018 researchers have observed it developing new tools, including the Consock malware discovered in 2018, the Waterbear loader found in 2020 and various ELF variants of the TSCookie malware. The group’s targets have primarily focused on companies in Taiwan, but Scenarelli said that it has expanded its victimology over time to include Japan, Hong Kong, China and, as of 2020, the U.S.

Attack Chain

Researchers have observed BlackTech’s attack chain typically starting with a spearphishing email sent to the target, which spoofs the address of a legitimate company. Scenarelli said, researchers observed one spearphishing email being sent to the Chinese subsidiary of an unnamed Japanese IT service provider, which was spoofing the email address of a Japanese automotive manufacturer, for instance.

The emails contained a malicious, password protected Excel document, which would then prompt targets to “enable content” - and subsequently downloaded the Flagpro downloader, dropped into the Startup folder.

“In 2020 we observed [the macros] dropping Flagpro,” said Scenarelli. “This is a 32-bit executable that establishes persistence through a Startup folder, and creates a Mutex as well to ensure that only one copy of the malware is running on the intended target.”

Once downloaded, it retrieved and executed commands from the command-and-control (C2) server and collected information about the system, used to profile the victim. The downloader also contained the ability to steal credentials saved in the Windows Credentials Store, which is where Windows users’ passwords and other login details are stored for later use.

If the victim is considered of interest to the threat actor, the malware then would download and execute BTSDoor. This backdoor has been around since at least 2018, however researchers only now discovered that it was being utilized by BlackTech. BTSDoor has various functionalities, including the ability to create a reverse shell and write data to a reverse shell session, as well as send environment, file listing and directory listing information to the C2.

“BTSDoor is a very simple and straightforward backdoor, it doesn't have any obfuscation methods, it doesn't have any persistence mechanisms, it just runs itself and tries to receive commands from the C2,” said Adam Prescott, lead reverse engineer in PwC's threat intelligence team.

Deep Dive into BlackTech Exploits

Upon further investigation into the C2 domains that Flagpro samples were using, researchers were able to learn more about the threat group’s infrastructure and the exploits that it targets. After discovering a domain tied to Flagpro, researchers discovered a reference to Tweets that discussed an open directory, where the FlagPro malware sample was staged. The open directory, which has since been shut down, contained known BlackTech tools, including the Consock malware. Researchers also uncovered several exploits for known CVEs in a folder in the open directory called xx.rar, such as an exploit for an Oracle WebLogic remote code execution flaw (CVE-2021-2135).

While BlackTech continues to rely on tools like the Plead malware, researchers said they expect the threat group to continue evolving both its malware toolset and exploitation efforts.

“We see a threat actor that is quite constant in some of its activities, but that is also open to innovation and changing things up,” said Scenarelli.