.svg)
.svg)
On September 27, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on a Chinese APT group called BlackTech [1]. BlackTech is known to target organizations working with US and Japanese militaries for cyber espionage and theft of sensitive information. The APT group is capable of modifying router firmware, deploying backdoors in victims' networks, and moving laterally between networks while evading detection.
In this blog, we explained tools used by BlackTech APT Group and how organizations can defend themselves against BlackTech attacks.
Simulate State-Sponsored APT Attacks with 14-Day Free Trial of Picus Platform
BlackTech APT Group
BlackTech is an Advanced Persistent Threat (APT) Group linked to the People's Republic of China (PRC). The APT group first appeared in 2010 and is known to target US and East Asian public organizations and private companies. Considering their tools and techniques, BlackTech actors aim to establish persistence and exfiltrate sensitive data from their victims for extended periods of time while evading detection. Their effort and emphasis on defense evasion show that BlackTech focuses on cyber espionage.
BlackTech uses a series of malware affecting Windows, Linux, and FreeBSD and updates them regularly. Using stolen code signing certificates, adversaries sign the malware to make them appear legitimate and evade their victims' defense. BlackTech also uses Living-off-the-Land tools and techniques to blend in with benign operating systems and network activities.
The most noteworthy attack technique utilized by BlackTech is modifying router firmware without detection. Threat actors use this sophisticated technique to establish persistence, disable logging, move laterally, and hide their C2 communication.
Tools Used by BlackTech APT Group
BlackTech threat actors use several custom malware and remote access tools (RATs) in their attack campaigns. By continuously updating these tools, BlackTech avoids being detected and remains persistent in their victims' environment. The malicious software used by BlackTech is as follows:
BendyBear
BendyBear is a type of shellcode loader. Shellcode loaders are specialized tools used by adversaries to load and execute malicious code (shellcode) onto a compromised system, typically with the intent of establishing persistence or performing some malicious activity while evading detection. BendyBear uses polymorphic code and operates entirely on memory to evade detection mechanisms. These features also hinder malware analysis and prevent defenders and automated tools from understanding its true purpose and functionality.
Bifrose
Bifrose is a notorious backdoor that was discovered back in 2004. It evolved over time and gained new features during its nearly 20-year history. Bifrose is primarily a remote access trojan (RAT), which means it allows an attacker to remotely control an infected machine without the user's knowledge or consent. The primary purpose of such trojans is to grant unauthorized access to an attacker, essentially turning the infected machine into a "zombie" that can be commanded as part of a larger botnet or for individual malicious purposes. Bifrose has keylogging for collecting keystrokes and reverse connection capability to bypass firewall restrictions.
BTSDoor
BTSDoor is a backdoor malware developed by the Chinese state-sponsored threat actor BlackTech. It is typically delivered via spear-phishing emails that contain malicious attachments, such as weaponized Word or Excel documents. Once opened, these attachments exploit vulnerabilities in Microsoft Office to install BTSDoor on the victim's computer. BTSDoor establishes a covert communication channel with an adversary-controlled command and control (C2) server. Through this covert channel, adversaries steal sensitive data, disrupt operations, and establish persistence.
FakeDead (aka TSCookie) & FrontShell
FakeDead, also known as TSCookie, is an infostealer and loader malware. The malware is modular in nature and employs several evasion techniques, such as code obfuscation and process injection. After the victim is infected by TSCookie, the malware downloads and executes a remote access trojan named TSCookieRAT to establish persistence. TSCookie is used by adversaries for credential theft, data exfiltration, and deploying additional malware. BlackTech APT group uses FrontShell as a downloader for FakeDead.
FlagPro
FlagPro is a first-stage downloader designed to infiltrate and compromise Windows systems. Once a system is infected, FlagPro collects information from the compromised host and sends it to an adversary-controlled C2 server. It can also execute commands in the infected system and install additional malware downloaded from the C2 server. For more detailed information about it, check out our blog on FlagPro malware.
IconDown
IconDown is a downloader malware that abuses Windows shortcut files with a .lnk extension to download and deploy malicious payloads. The use of Windows shortcut files appears benign to legitimate users and helps malware avoid immediate suspicion. This technique is also leveraged to bypass traditional antivirus solutions since they might overlook .lnk files. IconDown can be the initial stage for a larger cyber attack campaign. When executed by an unsuspecting victim, IconDown malware contacts the attackers' C2 server to download additional malware and exfiltrate sensitive data.
PLEAD
PLEAD is a modular remote access trojan (RAT) designed to exfiltrate sensitive documents and information from compromised systems. The main entry point for PLEAD malware is typically spear-phishing emails. These are targeted email campaigns where the attacker sends a seemingly legitimate email to a specific individual or organization with malicious attachments or links to compromise the system. PLEAD is often used for credential theft, lateral movement, C2 communication, and data exfiltration in cyber espionage campaigns.
WaterBear
WaterBear is modular malware, meaning it consists of a core set of functionalities that can be expanded upon with additional modules depending on the specific needs and objectives of an attack. Adversaries often choose WaterBear because of its capability to reside in the computer's boot sector, making it more resistant to typical removal techniques. BlackTech threat actors use WaterBear to exfiltrate data from compromised systems and move laterally in the victim's environment.
How Picus Helps Simulate BlackTech Attacks?
We also strongly suggest simulating BlackTech APT attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against hundreds of other APT groups, such as Andariel, OilRig, and APT33, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for BlackTech APT Group:
|
Threat ID |
Threat Name |
Attack Module |
|
96037 |
BlackTech Threat Group Campaign Backdoor Malware Download Threat |
Network Infiltration |
|
43613 |
BlackTech Threat Group Campaign Backdoor Malware Email Threat |
Email Infiltration (Phishing) |
|
89388 |
BlackTech Threat Group Campaign Malware Downloader Download Threat |
Network Infiltration |
|
91923 |
BlackTech Threat Group Campaign Malware Downloader Email Threat |
Email Infiltration (Phishing) |
|
62309 |
BlackTech Threat Group Campaign Malware Dropper Download Threat |
Network Infiltration |
|
84835 |
BlackTech Threat Group Campaign Malware Dropper Email Threat |
Email Infiltration (Phishing) |
|
51888 |
BlackTech Threat Group Campaign RAT Download Threat |
Network Infiltration |
|
49234 |
BlackTech Threat Group Campaign RAT Email Threat |
Email Infiltration (Phishing) |
|
81106 |
BlackTech Threat Group Campaign Malware Download Threat |
Network Infiltration |
|
89841 |
BlackTech Threat Group Campaign Malware Email Threat |
Email Infiltration (Phishing) |
|
50381 |
IconDown Downloader Download Threat |
Network Infiltration |
|
98382 |
IconDown Downloader Email Threat |
Email Infiltration (Phishing) |
|
64001 |
TSCookieRAT RAT Download Threat |
Network Infiltration |
|
74981 |
TSCookieRAT RAT Email Threat |
Email Infiltration (Phishing) |
|
47525 |
TSCookie Loader Download Threat |
Network Infiltration |
|
26482 |
TSCookie Loader Email Threat |
Email Infiltration (Phishing) |
|
55981 |
BTSDoor Backdoor Download Threat |
Network Infiltration |
|
25069 |
BTSDoor Backdoor Email Threat |
Email Infiltration (Phishing) |
|
76995 |
Bifrose Trojan Download Threat |
Network Infiltration |
|
74643 |
Bifrose Trojan Email Threat |
Email Infiltration (Phishing) |
|
63142 |
Bifrose Backdoor Download Threat |
Network Infiltration |
|
54774 |
Bifrose Backdoor Email Threat |
Email Infiltration (Phishing) |
|
34987 |
BendyBear Downloader Download Threat |
Network Infiltration |
|
93736 |
BendyBear Downloader Email Threat |
Email Infiltration (Phishing) |
|
65306 |
Flagpro Trojan Download Threat |
Network Infiltration |
|
57554 |
Flagpro Trojan Email Threat |
Email Infiltration (Phishing) |
|
28252 |
Flagpro Downloader Download Threat |
Network Infiltration |
|
28044 |
Flagpro Downloader Email Threat |
Email Infiltration (Phishing) |
|
49893 |
Gh0stTimes RAT Download Threat |
Network Infiltration |
|
59932 |
Gh0stTimes RAT Email Threat |
Email Infiltration (Phishing) |
|
82854 |
WaterBear Loader Download Threat |
Network Infiltration |
|
43442 |
WaterBear Loader Email Threat |
Email Infiltration (Phishing) |
|
47216 |
Plead Downloader Download Threat |
Network Infiltration |
|
30730 |
Plead Downloader Email Threat |
Email Infiltration (Phishing) |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address malware used by BlackTech and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for malware used by BlackTech:
|
Security Control |
Signature ID |
Signature Name |
|
Checkpoint NGFW |
0DAC85EC8 |
Backdoor.MSIL.SpyGate.tma.TC.2258Yrza |
|
Checkpoint NGFW |
08CA829A5 |
Backdoor.Win32.Agent.mytxit.TC.9d6cJgAN |
|
Checkpoint NGFW |
0BFAA95F7 |
HEUR:Backdoor.Win32.Farfli.gen.TC.46f9TJYx |
|
Checkpoint NGFW |
86472349 |
HEUR:Backdoor.Win32.Farfli.gen.TC.4759DNBk |
|
Checkpoint NGFW |
0F5010C0B |
HEUR:Backdoor.Win32.Farfli.TC.bcbcOkel |
|
Checkpoint NGFW |
0C8DFE3ED |
HEUR:Trojan.Win32.Agentb.gen.TC.e750hCay |
|
Checkpoint NGFW |
0C04BC957 |
HEUR:Trojan.Win32.Generic.TC.c0f0jKcr |
|
Checkpoint NGFW |
0B501F579 |
HEUR:Trojan.Win32.Generic.TC.e941HuFR |
|
Checkpoint NGFW |
0C2A119CC |
Trojan-Dropper.Win32.Injector.lgvp.TC.26dcBTNe |
|
Checkpoint NGFW |
0DC882425 |
Trojan-Dropper.Win32.Injector.lgvp.TC.515czkSf |
|
Checkpoint NGFW |
0955EF260 |
Trojan-Dropper.Win32.Injector.TC.3a7cnUJa |
|
Checkpoint NGFW |
0A0CB5841 |
Trojan-Dropper.Win32.Injector.TC.3ad2xYzX |
|
Checkpoint NGFW |
0DC782ED2 |
Trojan.MSIL.ShopBot.cow.TC.1414lpcf |
|
Checkpoint NGFW |
0F939FDB7 |
Trojan.Win32.Agentb.gen.TC.8a00vdyZ |
|
Checkpoint NGFW |
0840E036C |
Trojan.Win32.Burn.TC.bff4YtpR |
|
Checkpoint NGFW |
0BA5D43E0 |
Trojan.Win32.Generic.TC.1dedYYaX |
|
Checkpoint NGFW |
0FB27A3BB |
Trojan.Win32.Generic.TC.6872MRRN |
|
Checkpoint NGFW |
091614ED9 |
Trojan.Win32.Generic.TC.d3c6ElUM |
|
Checkpoint NGFW |
0C128FA2A |
Trojan.Win32.Generic.Win32.Generic.TC.49feFbOk |
|
Checkpoint NGFW |
0BD83CBBC |
Trojan.Win32.Generic.Win32.Generic.TC.ac78zval |
|
Checkpoint NGFW |
0C6AB09E3 |
Trojan.Win32.Llac.kzqr.TC.2d98omLq |
|
Checkpoint NGFW |
0C9471D38 |
Trojan.Win32.Llac.kzqr.TC.442fAsBu |
|
Checkpoint NGFW |
0F26CCC84 |
Trojan.Win32.Llac.kzqr.TC.8900dKEy |
|
Checkpoint NGFW |
0C80FDA6E |
Trojan.Win32.Malicious.TC.i |
|
Checkpoint NGFW |
0DAD12F5A |
Trojan.Win32.Malicious.TC.k |
|
Checkpoint NGFW |
0E5C60BEC |
Trojan.Win32.Malicious.TC.l |
|
Checkpoint NGFW |
08A07CE4C |
Trojan.Win32.Malicious.TC.m |
|
Checkpoint NGFW |
0D822BD35 |
Trojan.Win32.Malicious.TC.n |
|
Checkpoint NGFW |
08FFD1C15 |
Trojan.Win32.PLEAD.aa.TC.b2a9Nyfj |
|
Checkpoint NGFW |
0F25D1F4D |
Trojan.Win32.PLEAD.h.TC.0c4aodZP |
|
Checkpoint NGFW |
0EF9B6C92 |
Trojan.Win32.Trojan-Dropper.TC.d2fagzfr |
|
Checkpoint NGFW |
0C9E51DBB |
Trojan.Win32.Upatre.TC.6416Yfka |
|
Checkpoint NGFW |
0A38870E1 |
Trojan.Win32.Winsxsbot.TC.9726ckgX |
|
Checkpoint NGFW |
093ADC5CD |
Trojan.Win64.Agentb.atz.TC.3beewvJx |
|
Checkpoint NGFW |
08CB540A0 |
TS_Botnet.Win32.SkyNet.TC.e046uShP |
|
Checkpoint NGFW |
095182B4C |
TS_Dropper.Win32.VBDotNetDropper.TC.cbe9gdHB |
|
Checkpoint NGFW |
08ABC61BA |
TS_Trojan.Win32.Bladabindi.TC.1b6arsyX |
|
Checkpoint NGFW |
0F49617E7 |
TS_Trojan.Win32.GenericIL.TC.83d8tcMb |
|
Checkpoint NGFW |
096E4D989 |
UDS:DangerousObject.Multi.Generic.TC.67d6iNdg |
|
Checkpoint NGFW |
0AD2966C8 |
UDS:Trojan.Win32.Generic.TC.56b8qyFi |
|
Checkpoint NGFW |
0C74F794A |
UDS:Trojan.Win32.Generic.TC.aca3xzJq |
|
Checkpoint NGFW |
0FE46A107 |
unknown.TC.eb3eFxXB |
|
Cisco Firepower |
Auto.0478FE3022.241848.in07.Talos |
|
|
Cisco Firepower |
Auto.EE6ED3.212452.in02 |
|
|
Cisco Firepower |
1.48134.6 |
FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt |
|
Cisco Firepower |
1.53205.2 |
INDICATOR-OBFUSCATION Win.Dropper.Vivin download attempt |
|
Cisco Firepower |
1.53209.1 |
MALWARE-OTHER Win.Trojan.AZORult malicious executable download attempt |
|
Cisco Firepower |
njRAT::gravity::W32.Backdoor:BifroseDZM.21go.1201 |
|
|
Cisco Firepower |
Unix.Dropper.Bifrose::in07.talos |
|
|
Cisco Firepower |
W32.01581F0B18-100.SBX.VIOC |
|
|
Cisco Firepower |
W32.655CA39BEB-94.SBX.VIOC |
|
|
Cisco Firepower |
W32.AAA236EECA-95.SBX.TG |
|
|
Cisco Firepower |
W32.Auto:15b8dddbfa.in03.Talos |
|
|
Cisco Firepower |
W32.Auto:54e6ea47eb.in03.Talos |
|
|
Cisco Firepower |
W32.Auto:77680fb906.in03.Talos |
|
|
Cisco Firepower |
W32.Auto:836b87.in03.Talos |
|
|
Cisco Firepower |
W32.Auto:a69a2b2a6f.in03.Talos |
|
|
Cisco Firepower |
W32.Auto:e197c583f5.in03.Talos |
|
|
Cisco Firepower |
W32.BD02CA0335-95.SBX.TG |
|
|
Cisco Firepower |
W32.D0C2804C85-95.SBX.TG |
|
|
Cisco Firepower |
W32.GenericKD:Trojangen.22lw.1201 |
|
|
Cisco Firepower |
W32.Variant:Gen.20ld.1201 |
|
|
Cisco Firepower |
Win.Dropper.Bifrose::1201 |
|
|
Cisco Firepower |
Win.Dropper.Bifrose::in10.talos |
|
|
Cisco Firepower |
Win.Dropper.Bifrose::sbmt.talos |
|
|
Cisco Firepower |
Win.Dropper.Jaike::1201 |
|
|
Cisco Firepower |
Win.Dropper.Tiggre::1201 |
|
|
Cisco Firepower |
Win.Loader.WaterBear.tii.Talos |
|
|
Cisco Firepower |
Xls.Dropper.Valyria::mash.sr.sbx.vioc |
|
|
Forcepoint NGFW |
File_Malware-Blocked |
|
|
Forcepoint NGFW |
File-OLE_Microsoft-Excel-File-Handling-Code-Execution-Vulnerability |
|
|
Fortigate AV |
540197 |
W32/Agent.ZEM!tr |
|
Fortigate AV |
5991747 |
W32/Farfli.ADV!tr |
|
Fortigate AV |
10090616 |
W32/FlagPro.A!tr |
|
Fortigate AV |
7696901 |
W32/Generic.ZOJ!tr |
|
Fortigate AV |
6601514 |
W32/Generik.DEDLUVQ!tr |
|
Fortigate AV |
6567253 |
W32/Injector.LGVP!tr |
|
Fortigate AV |
822086 |
W32/VB.NMR!tr |
|
Fortigate AV |
7589428 |
W64/Farfli.D!tr |
|
Mcafee |
0x4840c900 |
MALWARE: Malicious File Detected by GTI |
|
Palo Alto |
190071849 |
Backdoor/MSIL.bladabindi.lefz |
|
Palo Alto |
190947525 |
Backdoor/MSIL.bladabindi.lhsm |
|
Palo Alto |
218505504 |
Backdoor/MSIL.bladabindi.olpg |
|
Palo Alto |
218572884 |
Backdoor/MSIL.bladabindi.olqf |
|
Palo Alto |
191218977 |
Backdoor/Win32.bfrs1.eh |
|
Palo Alto |
218573430 |
Backdoor/Win32.darkddoser.fx |
|
Palo Alto |
437621922 |
Backdoor/Win32.farfli.btjs |
|
Palo Alto |
188829978 |
HackTool/Win32.keygen.npk |
|
Palo Alto |
44364051 |
Trojan-Ransom/Win32.blocker.vub |
|
Palo Alto |
460268804 |
trojan/Win32 EXE.click.ajc |
|
Palo Alto |
436584951 |
trojan/Win32 EXE.farfli.btil |
|
Palo Alto |
373758117 |
trojan/Win32 EXE.farfli.btim |
|
Palo Alto |
436612779 |
trojan/Win32 EXE.farfli.btin |
|
Palo Alto |
436613025 |
trojan/Win32 EXE.farfli.btio |
|
Palo Alto |
379342368 |
trojan/Win32 EXE.farfli.btiq |
|
Palo Alto |
197333133 |
trojan/Win32 EXE.graftor.kn |
|
Palo Alto |
200798652 |
trojan/Win32 EXE.graftor.ko |
|
Palo Alto |
198868227 |
trojan/Win32 EXE.graftor.kp |
|
Palo Alto |
175014180 |
trojan/Win32 EXE.malware.arhp |
|
Palo Alto |
459740498 |
trojan/Win32 EXE.malware.azzq |
|
Palo Alto |
459740567 |
trojan/Win32 EXE.possiblethreat.hib |
|
Palo Alto |
459740540 |
trojan/Win32 EXE.zusy.rnp |
|
Palo Alto |
46585536 |
Trojan/Win32.dyer.ur |
|
Palo Alto |
46675179 |
Trojan/Win32.dyer.vb |
|
Palo Alto |
437575773 |
trojan/Win32.farfli.dgng |
|
Palo Alto |
218505561 |
Trojan/Win32.skeeyah.lrs |
|
Palo Alto |
218518611 |
Trojan/Win32.skeeyah.lru |
|
Palo Alto |
218543010 |
Trojan/Win32.skeeyah.lrv |
|
Palo Alto |
218585523 |
Trojan/Win32.skeeyah.lrx |
|
Palo Alto |
88978206 |
Virus/Win32.bifrose.fq |
|
Snort |
1.53205.2 |
INDICATOR-OBFUSCATION Win.Dropper.Vivin download attempt |
|
Snort |
1.53209.1 |
MALWARE-OTHER Win.Trojan.AZORult malicious executable download attempt |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus The Complete Security Validation Platform.
References
[1] "People's Republic of China-Linked Cyber Actors Hide in Router Firmware," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-270a. [Accessed: Sep. 28, 2023]
