BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.[1][2][3]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1190 | Exploit Public-Facing Application |
BlackTech has exploited a buffer overflow vulnerability in Microsoft Internet Information Services (IIS) 6.0, CVE-2017-7269, in order to establish a new HTTP or command and control (C2) server.[1] |
|
Enterprise | T1203 | Exploitation for Client Execution |
BlackTech has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities CVE-2012-0158, CVE-2014-6352, CVE-2017-0199, and Adobe Flash CVE-2015-5119.[1] |
|
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
BlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories.[5] |
Enterprise | T1036 | .002 | Masquerading: Right-to-Left Override |
BlackTech has used right-to-left-override to obfuscate the filenames of malicious e-mail attachments.[1] |
Enterprise | T1106 | Native API | ||
Enterprise | T1046 | Network Service Discovery |
BlackTech has used the SNScan tool to find other potential targets on victim networks.[2] |
|
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
BlackTech has obtained and used tools such as Putty, SNScan, and PsExec for its operations.[2] |
.003 | Obtain Capabilities: Code Signing Certificates |
BlackTech has used stolen code-signing certificates for its malicious payloads.[2] |
||
.004 | Obtain Capabilities: Digital Certificates |
BlackTech has used valid, stolen digital certificates for some of their malware and tools.[6] |
||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
BlackTech has used spearphishing e-mails with malicious password-protected archived files (ZIP or RAR) to deliver malware.[1][7] |
.002 | Phishing: Spearphishing Link |
BlackTech has used spearphishing e-mails with links to cloud services to deliver malware.[1] |
||
Enterprise | T1021 | .004 | Remote Services: SSH | |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
BlackTech has used e-mails with malicious links to lure victims into installing malware.[1] |
.002 | User Execution: Malicious File |
BlackTech has used e-mails with malicious documents to lure victims into installing malware.[1][7] |