BlackTech APT Group Targets US and Japan - CISA Alert AA23-270A

The Red Report 2023

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

On September 27, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on a Chinese APT group called BlackTech [1]. BlackTech is known to target organizations working with US and Japanese militaries for cyber espionage and theft of sensitive information. The APT group is capable of modifying router firmware, deploying backdoors in victims' networks, and moving laterally between networks while evading detection.

In this blog, we explained tools used by BlackTech APT Group and how organizations can defend themselves against BlackTech attacks.

Simulate State-Sponsored APT Attacks with 14-Day Free Trial of Picus Platform

BlackTech APT Group

BlackTech is an Advanced Persistent Threat (APT) Group linked to the People's Republic of China (PRC). The APT group first appeared in 2010 and is known to target US and East Asian public organizations and private companies. Considering their tools and techniques, BlackTech actors aim to establish persistence and exfiltrate sensitive data from their victims for extended periods of time while evading detection. Their effort and emphasis on defense evasion show that BlackTech focuses on cyber espionage.

BlackTech uses a series of malware affecting Windows, Linux, and FreeBSD and updates them regularly. Using stolen code signing certificates, adversaries sign the malware to make them appear legitimate and evade their victims' defense. BlackTech also uses Living-off-the-Land tools and techniques to blend in with benign operating systems and network activities.

The most noteworthy attack technique utilized by BlackTech is modifying router firmware without detection. Threat actors use this sophisticated technique to establish persistence, disable logging, move laterally, and hide their C2 communication. 

Tools Used by BlackTech APT Group

BlackTech threat actors use several custom malware and remote access tools (RATs) in their attack campaigns. By continuously updating these tools, BlackTech avoids being detected and remains persistent in their victims' environment. The malicious software used by BlackTech is as follows:

BendyBear

BendyBear is a type of shellcode loader. Shellcode loaders are specialized tools used by adversaries to load and execute malicious code (shellcode) onto a compromised system, typically with the intent of establishing persistence or performing some malicious activity while evading detection. BendyBear uses polymorphic code and operates entirely on memory to evade detection mechanisms. These features also hinder malware analysis and prevent defenders and automated tools from understanding its true purpose and functionality.

Bifrose

Bifrose is a notorious backdoor that was discovered back in 2004. It evolved over time and gained new features during its nearly 20-year history. Bifrose is primarily a remote access trojan (RAT), which means it allows an attacker to remotely control an infected machine without the user's knowledge or consent. The primary purpose of such trojans is to grant unauthorized access to an attacker, essentially turning the infected machine into a "zombie" that can be commanded as part of a larger botnet or for individual malicious purposes. Bifrose has keylogging for collecting keystrokes and reverse connection capability to bypass firewall restrictions.

BTSDoor

BTSDoor is a backdoor malware developed by the Chinese state-sponsored threat actor BlackTech. It is typically delivered via spear-phishing emails that contain malicious attachments, such as weaponized Word or Excel documents. Once opened, these attachments exploit vulnerabilities in Microsoft Office to install BTSDoor on the victim's computer. BTSDoor establishes a covert communication channel with an adversary-controlled command and control (C2) server. Through this covert channel, adversaries steal sensitive data, disrupt operations, and establish persistence.

FakeDead (aka TSCookie) & FrontShell

FakeDead, also known as TSCookie, is an infostealer and loader malware. The malware is modular in nature and employs several evasion techniques, such as code obfuscation and process injection. After the victim is infected by TSCookie, the malware downloads and executes a remote access trojan named TSCookieRAT to establish persistence. TSCookie is used by adversaries for credential theft, data exfiltration, and deploying additional malware. BlackTech APT group uses FrontShell as a downloader for FakeDead.

FlagPro

FlagPro is a first-stage downloader designed to infiltrate and compromise Windows systems. Once a system is infected, FlagPro collects information from the compromised host and sends it to an adversary-controlled C2 server. It can also execute commands in the infected system and install additional malware downloaded from the C2 server. For more detailed information about it, check out our blog on FlagPro malware.

IconDown

IconDown is a downloader malware that abuses Windows shortcut files with a .lnk extension to download and deploy malicious payloads. The use of Windows shortcut files appears benign to legitimate users and helps malware avoid immediate suspicion. This technique is also leveraged to bypass traditional antivirus solutions since they might overlook .lnk files. IconDown can be the initial stage for a larger cyber attack campaign. When executed by an unsuspecting victim, IconDown malware contacts the attackers' C2 server to download additional malware and exfiltrate sensitive data. 

PLEAD

PLEAD is a modular remote access trojan (RAT) designed to exfiltrate sensitive documents and information from compromised systems. The main entry point for PLEAD malware is typically spear-phishing emails. These are targeted email campaigns where the attacker sends a seemingly legitimate email to a specific individual or organization with malicious attachments or links to compromise the system. PLEAD is often used for credential theft, lateral movement, C2 communication, and data exfiltration in cyber espionage campaigns.

WaterBear

WaterBear is modular malware, meaning it consists of a core set of functionalities that can be expanded upon with additional modules depending on the specific needs and objectives of an attack. Adversaries often choose WaterBear because of its capability to reside in the computer's boot sector, making it more resistant to typical removal techniques. BlackTech threat actors use WaterBear to exfiltrate data from compromised systems and move laterally in the victim's environment. 

How Picus Helps Simulate BlackTech Attacks?

We also strongly suggest simulating BlackTech APT attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against hundreds of other APT groups, such as Andariel, OilRig, and APT33, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for BlackTech APT Group

Threat ID

Threat Name

Attack Module

96037

BlackTech Threat Group Campaign Backdoor Malware Download Threat

Network Infiltration

43613

BlackTech Threat Group Campaign Backdoor Malware Email Threat

Email Infiltration (Phishing)

89388

BlackTech Threat Group Campaign Malware Downloader Download Threat

Network Infiltration

91923

BlackTech Threat Group Campaign Malware Downloader Email Threat

Email Infiltration (Phishing)

62309

BlackTech Threat Group Campaign Malware Dropper Download Threat

Network Infiltration

84835

BlackTech Threat Group Campaign Malware Dropper Email Threat

Email Infiltration (Phishing)

51888

BlackTech Threat Group Campaign RAT Download Threat

Network Infiltration

49234

BlackTech Threat Group Campaign RAT Email Threat

Email Infiltration (Phishing)

81106

BlackTech Threat Group Campaign Malware Download Threat

Network Infiltration

89841

BlackTech Threat Group Campaign Malware Email Threat

Email Infiltration (Phishing)

50381

IconDown Downloader Download Threat

Network Infiltration

98382

IconDown Downloader Email Threat

Email Infiltration (Phishing)

64001

TSCookieRAT RAT Download Threat

Network Infiltration

74981

TSCookieRAT RAT Email Threat

Email Infiltration (Phishing)

47525

TSCookie Loader Download Threat

Network Infiltration

26482

TSCookie Loader Email Threat

Email Infiltration (Phishing)

55981

BTSDoor Backdoor Download Threat

Network Infiltration

25069

BTSDoor Backdoor Email Threat

Email Infiltration (Phishing)

76995

Bifrose Trojan Download Threat

Network Infiltration

74643

Bifrose Trojan Email Threat

Email Infiltration (Phishing)

63142

Bifrose Backdoor Download Threat

Network Infiltration

54774

Bifrose Backdoor Email Threat

Email Infiltration (Phishing)

34987

BendyBear Downloader Download Threat

Network Infiltration

93736

BendyBear Downloader Email Threat

Email Infiltration (Phishing)

65306

Flagpro Trojan Download Threat

Network Infiltration

57554

Flagpro Trojan Email Threat

Email Infiltration (Phishing)

28252

Flagpro Downloader Download Threat

Network Infiltration

28044

Flagpro Downloader Email Threat

Email Infiltration (Phishing)

49893

Gh0stTimes RAT Download Threat

Network Infiltration

59932

Gh0stTimes RAT Email Threat

Email Infiltration (Phishing)

82854

WaterBear Loader Download Threat

Network Infiltration

43442

WaterBear Loader Email Threat

Email Infiltration (Phishing)

47216

Plead Downloader Download Threat

Network Infiltration

30730

Plead Downloader Email Threat

Email Infiltration (Phishing)

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address malware used by BlackTech and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for malware used by BlackTech:

Security Control

Signature ID

Signature Name

Checkpoint NGFW

0DAC85EC8

Backdoor.MSIL.SpyGate.tma.TC.2258Yrza

Checkpoint NGFW

08CA829A5

Backdoor.Win32.Agent.mytxit.TC.9d6cJgAN

Checkpoint NGFW

0BFAA95F7

HEUR:Backdoor.Win32.Farfli.gen.TC.46f9TJYx

Checkpoint NGFW

86472349

HEUR:Backdoor.Win32.Farfli.gen.TC.4759DNBk

Checkpoint NGFW

0F5010C0B

HEUR:Backdoor.Win32.Farfli.TC.bcbcOkel

Checkpoint NGFW

0C8DFE3ED

HEUR:Trojan.Win32.Agentb.gen.TC.e750hCay

Checkpoint NGFW

0C04BC957

HEUR:Trojan.Win32.Generic.TC.c0f0jKcr

Checkpoint NGFW

0B501F579

HEUR:Trojan.Win32.Generic.TC.e941HuFR

Checkpoint NGFW

0C2A119CC

Trojan-Dropper.Win32.Injector.lgvp.TC.26dcBTNe

Checkpoint NGFW

0DC882425

Trojan-Dropper.Win32.Injector.lgvp.TC.515czkSf

Checkpoint NGFW

0955EF260

Trojan-Dropper.Win32.Injector.TC.3a7cnUJa

Checkpoint NGFW

0A0CB5841

Trojan-Dropper.Win32.Injector.TC.3ad2xYzX

Checkpoint NGFW

0DC782ED2

Trojan.MSIL.ShopBot.cow.TC.1414lpcf

Checkpoint NGFW

0F939FDB7

Trojan.Win32.Agentb.gen.TC.8a00vdyZ

Checkpoint NGFW

0840E036C

Trojan.Win32.Burn.TC.bff4YtpR

Checkpoint NGFW

0BA5D43E0

Trojan.Win32.Generic.TC.1dedYYaX

Checkpoint NGFW

0FB27A3BB

Trojan.Win32.Generic.TC.6872MRRN

Checkpoint NGFW

091614ED9

Trojan.Win32.Generic.TC.d3c6ElUM

Checkpoint NGFW

0C128FA2A

Trojan.Win32.Generic.Win32.Generic.TC.49feFbOk

Checkpoint NGFW

0BD83CBBC

Trojan.Win32.Generic.Win32.Generic.TC.ac78zval

Checkpoint NGFW

0C6AB09E3

Trojan.Win32.Llac.kzqr.TC.2d98omLq

Checkpoint NGFW

0C9471D38

Trojan.Win32.Llac.kzqr.TC.442fAsBu

Checkpoint NGFW

0F26CCC84

Trojan.Win32.Llac.kzqr.TC.8900dKEy

Checkpoint NGFW

0C80FDA6E

Trojan.Win32.Malicious.TC.i

Checkpoint NGFW

0DAD12F5A

Trojan.Win32.Malicious.TC.k

Checkpoint NGFW

0E5C60BEC

Trojan.Win32.Malicious.TC.l

Checkpoint NGFW

08A07CE4C

Trojan.Win32.Malicious.TC.m

Checkpoint NGFW

0D822BD35

Trojan.Win32.Malicious.TC.n

Checkpoint NGFW

08FFD1C15

Trojan.Win32.PLEAD.aa.TC.b2a9Nyfj

Checkpoint NGFW

0F25D1F4D

Trojan.Win32.PLEAD.h.TC.0c4aodZP

Checkpoint NGFW

0EF9B6C92

Trojan.Win32.Trojan-Dropper.TC.d2fagzfr

Checkpoint NGFW

0C9E51DBB

Trojan.Win32.Upatre.TC.6416Yfka

Checkpoint NGFW

0A38870E1

Trojan.Win32.Winsxsbot.TC.9726ckgX

Checkpoint NGFW

093ADC5CD

Trojan.Win64.Agentb.atz.TC.3beewvJx

Checkpoint NGFW

08CB540A0

TS_Botnet.Win32.SkyNet.TC.e046uShP

Checkpoint NGFW

095182B4C

TS_Dropper.Win32.VBDotNetDropper.TC.cbe9gdHB

Checkpoint NGFW

08ABC61BA

TS_Trojan.Win32.Bladabindi.TC.1b6arsyX

Checkpoint NGFW

0F49617E7

TS_Trojan.Win32.GenericIL.TC.83d8tcMb

Checkpoint NGFW

096E4D989

UDS:DangerousObject.Multi.Generic.TC.67d6iNdg

Checkpoint NGFW

0AD2966C8

UDS:Trojan.Win32.Generic.TC.56b8qyFi

Checkpoint NGFW

0C74F794A

UDS:Trojan.Win32.Generic.TC.aca3xzJq

Checkpoint NGFW

0FE46A107

unknown.TC.eb3eFxXB

Cisco Firepower

 

Auto.0478FE3022.241848.in07.Talos

Cisco Firepower

 

Auto.EE6ED3.212452.in02

Cisco Firepower

1.48134.6

FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt

Cisco Firepower

1.53205.2

INDICATOR-OBFUSCATION Win.Dropper.Vivin download attempt

Cisco Firepower

1.53209.1

MALWARE-OTHER Win.Trojan.AZORult malicious executable download attempt

Cisco Firepower

 

njRAT::gravity::W32.Backdoor:BifroseDZM.21go.1201

Cisco Firepower

 

Unix.Dropper.Bifrose::in07.talos

Cisco Firepower

 

W32.01581F0B18-100.SBX.VIOC

Cisco Firepower

 

W32.655CA39BEB-94.SBX.VIOC

Cisco Firepower

 

W32.AAA236EECA-95.SBX.TG

Cisco Firepower

 

W32.Auto:15b8dddbfa.in03.Talos

Cisco Firepower

 

W32.Auto:54e6ea47eb.in03.Talos

Cisco Firepower

 

W32.Auto:77680fb906.in03.Talos

Cisco Firepower

 

W32.Auto:836b87.in03.Talos

Cisco Firepower

 

W32.Auto:a69a2b2a6f.in03.Talos

Cisco Firepower

 

W32.Auto:e197c583f5.in03.Talos

Cisco Firepower

 

W32.BD02CA0335-95.SBX.TG

Cisco Firepower

 

W32.D0C2804C85-95.SBX.TG

Cisco Firepower

 

W32.GenericKD:Trojangen.22lw.1201

Cisco Firepower

 

W32.Variant:Gen.20ld.1201

Cisco Firepower

 

Win.Dropper.Bifrose::1201

Cisco Firepower

 

Win.Dropper.Bifrose::in10.talos

Cisco Firepower

 

Win.Dropper.Bifrose::sbmt.talos

Cisco Firepower

 

Win.Dropper.Jaike::1201

Cisco Firepower

 

Win.Dropper.Tiggre::1201

Cisco Firepower

 

Win.Loader.WaterBear.tii.Talos

Cisco Firepower

 

Xls.Dropper.Valyria::mash.sr.sbx.vioc

Forcepoint NGFW

 

File_Malware-Blocked

Forcepoint NGFW

 

File-OLE_Microsoft-Excel-File-Handling-Code-Execution-Vulnerability

Fortigate AV

540197

W32/Agent.ZEM!tr

Fortigate AV

5991747

W32/Farfli.ADV!tr

Fortigate AV

10090616

W32/FlagPro.A!tr

Fortigate AV

7696901

W32/Generic.ZOJ!tr

Fortigate AV

6601514

W32/Generik.DEDLUVQ!tr

Fortigate AV

6567253

W32/Injector.LGVP!tr

Fortigate AV

822086

W32/VB.NMR!tr

Fortigate AV

7589428

W64/Farfli.D!tr

Mcafee

0x4840c900

MALWARE: Malicious File Detected by GTI

Palo Alto

190071849

Backdoor/MSIL.bladabindi.lefz

Palo Alto

190947525

Backdoor/MSIL.bladabindi.lhsm

Palo Alto

218505504

Backdoor/MSIL.bladabindi.olpg

Palo Alto

218572884

Backdoor/MSIL.bladabindi.olqf

Palo Alto

191218977

Backdoor/Win32.bfrs1.eh

Palo Alto

218573430

Backdoor/Win32.darkddoser.fx

Palo Alto

437621922

Backdoor/Win32.farfli.btjs

Palo Alto

188829978

HackTool/Win32.keygen.npk

Palo Alto

44364051

Trojan-Ransom/Win32.blocker.vub

Palo Alto

460268804

trojan/Win32 EXE.click.ajc

Palo Alto

436584951

trojan/Win32 EXE.farfli.btil

Palo Alto

373758117

trojan/Win32 EXE.farfli.btim

Palo Alto

436612779

trojan/Win32 EXE.farfli.btin

Palo Alto

436613025

trojan/Win32 EXE.farfli.btio

Palo Alto

379342368

trojan/Win32 EXE.farfli.btiq

Palo Alto

197333133

trojan/Win32 EXE.graftor.kn

Palo Alto

200798652

trojan/Win32 EXE.graftor.ko

Palo Alto

198868227

trojan/Win32 EXE.graftor.kp

Palo Alto

175014180

trojan/Win32 EXE.malware.arhp

Palo Alto

459740498

trojan/Win32 EXE.malware.azzq

Palo Alto

459740567

trojan/Win32 EXE.possiblethreat.hib

Palo Alto

459740540

trojan/Win32 EXE.zusy.rnp

Palo Alto

46585536

Trojan/Win32.dyer.ur

Palo Alto

46675179

Trojan/Win32.dyer.vb

Palo Alto

437575773

trojan/Win32.farfli.dgng

Palo Alto

218505561

Trojan/Win32.skeeyah.lrs

Palo Alto

218518611

Trojan/Win32.skeeyah.lru

Palo Alto

218543010

Trojan/Win32.skeeyah.lrv

Palo Alto

218585523

Trojan/Win32.skeeyah.lrx

Palo Alto

88978206

Virus/Win32.bifrose.fq

Snort

1.53205.2

INDICATOR-OBFUSCATION Win.Dropper.Vivin download attempt

Snort

1.53209.1

MALWARE-OTHER Win.Trojan.AZORult malicious executable download attempt

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial of Picus The Complete Security Validation Platform.

References

[1] "People's Republic of China-Linked Cyber Actors Hide in Router Firmware," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-270a. [Accessed: Sep. 28, 2023]