BlackTech

BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong.[1]

ID: G0098
Contributors: Tatsuya Daitoku, Cyber Defense Institute, Inc.
Version: 1.0
Created: 05 May 2020
Last Modified: 06 May 2020

Techniques Used

Domain ID Name Use
Enterprise T1190 Exploit Public-Facing Application

BlackTech has exploited a buffer overflow vulnerability in Microsoft Internet Information Services (IIS) 6.0, CVE-2017-7269, in order to establish a new HTTP or command and control (C2) server.[1]

Enterprise T1203 Exploitation for Client Execution

BlackTech has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities CVE-2012-0158, CVE-2014-6352, CVE-2017-0199, and Adobe Flash CVE-2015-5119.

Enterprise T1036 .002 Masquerading: Right-to-Left Override

BlackTech has used right-to-left-override to obfuscate the filenames of malicious e-mail attachments.[1]

Enterprise T1566 .002 Phishing: Spearphishing Link

BlackTech has used spearphishing e-mails with links to cloud services to deliver malware.[1]

.001 Phishing: Spearphishing Attachment

BlackTech has used spearphishing e-mails with malicious documents to deliver malware.[1]

Enterprise T1204 .001 User Execution: Malicious Link

BlackTech has used e-mails with malicious links to lure victims into installing malware.[1]

.002 User Execution: Malicious File

BlackTech has used e-mails with malicious documents to lure victims into installing malware.[1]

Software

ID Name References Techniques
S0437 Kivars [1] File and Directory Discovery, Hide Artifacts: Hidden Window, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Remote Services, Screen Capture
S0435 PLEAD [1][2] Application Layer Protocol: Web Protocols, Application Window Discovery, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Data Obfuscation: Junk Data, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Process Discovery, Proxy, User Execution: Malicious File, User Execution: Malicious Link
S0436 TSCookie [3] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Ingress Tool Transfer, Non-Application Layer Protocol, Process Discovery, Process Injection, Proxy, System Network Configuration Discovery, User Execution: Malicious Link

References