aka: CIRCUIT PANDA, Temp.Overboard, HUAPI, Palmerworm, G0098, T-APT-03, Manga Taurus, Red Djinn
BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology.
Following their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns: PLEAD, Shrouded Crossbow, and of late, Waterbear.
PLEAD is an information theft campaign with a penchant for confidential documents. Active since 2012, it has so far targeted Taiwanese government agencies and private organizations. PLEAD’s toolset includes the self-named PLEAD backdoor and the DRIGO exfiltration tool. PLEAD uses spear-phishing emails to deliver and install their backdoor, either as an attachment or through links to cloud storage services. Some of the cloud storage accounts used to deliver PLEAD are also used as drop off points for exfiltrated documents stolen by DRIGO.
PLEAD actors use a router scanner tool to scan for vulnerable routers, after which the attackers will enable the router’s VPN feature then register a machine as virtual server. This virtual server will be used either as a C&C server or an HTTP server that delivers PLEAD malware to their targets.
2022-12-30 ⋅ Cyber And Ramen blog ⋅ CYBER&RAMEN
@online{cyberramen:20221230:quick:b75a34c,
author = {CYBER&RAMEN},
title = {{A Quick Look at ELF Bifrose (Part 1)}},
date = {2022-12-30},
organization = {Cyber And Ramen blog},
url = {https://cyberandramen.net/2022/12/30/a-quick-look-at-elf-bifrose/},
language = {English},
urldate = {2023-02-06}
}
A Quick Look at ELF Bifrose (Part 1)
Bifrost |
2022-11-24 ⋅ Twitter (@strinsert1Na) ⋅ MigawariIV
@online{migawariiv:20221124:recent:98d1c2e,
author = {MigawariIV},
title = {{Tweet on recent Bifrose activity}},
date = {2022-11-24},
organization = {Twitter (@strinsert1Na)},
url = {https://twitter.com/strinsert1Na/status/1595553530579890176},
language = {English},
urldate = {2022-11-25}
}
Tweet on recent Bifrose activity
Bifrost |
2022-09-29 ⋅ NTT ⋅ NTT Security Holdings Corporation
@techreport{corporation:20220929:report:1615dab,
author = {NTT Security Holdings Corporation},
title = {{Report on APT Attacks by BlackTech}},
date = {2022-09-29},
institution = {NTT},
url = {https://jp.security.ntt/resources/EN-BlackTech_2021.pdf},
language = {English},
urldate = {2022-09-30}
}
Report on APT Attacks by BlackTech
Bifrost PLEAD TSCookie Flagpro Gh0stTimes SelfMake Loader SPIDERPIG RAT |
2022-09-15 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20220915:f5:717ee99,
author = {Shusei Tomonaga},
title = {{F5 BIG-IP Vulnerability (CVE-2022-1388) Exploited by BlackTech}},
date = {2022-09-15},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html},
language = {English},
urldate = {2022-09-19}
}
F5 BIG-IP Vulnerability (CVE-2022-1388) Exploited by BlackTech
Hipid |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
@online{42:20220718:manga:5eaad04,
author = {Unit 42},
title = {{Manga Taurus}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/mangataurus/},
language = {English},
urldate = {2022-07-29}
}
Manga Taurus
BlackTech |
2022-04-28 ⋅ PWC ⋅ PWC UK
@techreport{uk:20220428:cyber:46707aa,
author = {PWC UK},
title = {{Cyber Threats 2021: A Year in Retrospect}},
date = {2022-04-28},
institution = {PWC},
url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf},
language = {English},
urldate = {2022-04-29}
}
Cyber Threats 2021: A Year in Retrospect
APT15 APT31 APT41 APT9 BlackTech BRONZE EDGEWOOD DAGGER PANDA Earth Lusca HAFNIUM HAZY TIGER Inception Framework LOTUS PANDA QUILTED TIGER RedAlpha Red Dev 17 Red Menshen Red Nue VICEROY TIGER |
2022-02-09 ⋅ vmware ⋅ VMWare
@techreport{vmware:20220209:exposing:7b5f76e,
author = {VMWare},
title = {{Exposing Malware in Linux-Based Multi-Cloud Environments}},
date = {2022-02-09},
institution = {vmware},
url = {https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf},
language = {English},
urldate = {2022-02-10}
}
Exposing Malware in Linux-Based Multi-Cloud Environments
ACBackdoor BlackMatter DarkSide Erebus HelloKitty Kinsing PLEAD QNAPCrypt RansomEXX REvil Sysrv-hello TeamTNT Vermilion Strike Cobalt Strike |
2022-01-25 ⋅ Trend Micro ⋅ Hara Hiroaki
@techreport{hiroaki:20220125:ambiguously:a846748,
author = {Hara Hiroaki},
title = {{Ambiguously Black: The Current State of Earth Hundun's Arsenal}},
date = {2022-01-25},
institution = {Trend Micro},
url = {https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdf},
language = {English},
urldate = {2022-04-04}
}
Ambiguously Black: The Current State of Earth Hundun's Arsenal
Flagpro SPIDERPIG RAT |
2022-01-13 ⋅ Twitter (@8th_grey_owl) ⋅ 8thGreyOwl
@online{8thgreyowl:20220113:selfmake:b0e52ab,
author = {8thGreyOwl},
title = {{Tweet on SelfMake Loader}},
date = {2022-01-13},
organization = {Twitter (@8th_grey_owl)},
url = {https://twitter.com/8th_grey_owl/status/1481433481485844483},
language = {English},
urldate = {2022-01-19}
}
Tweet on SelfMake Loader
SelfMake Loader |
2021-12-28 ⋅ NTT ⋅ Hiroki Hada
@online{hada:20211228:flagpro:1263fb7,
author = {Hiroki Hada},
title = {{Flagpro: The new malware used by BlackTech}},
date = {2021-12-28},
organization = {NTT},
url = {https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech},
language = {English},
urldate = {2021-12-31}
}
Flagpro: The new malware used by BlackTech
Flagpro |
2021-12-16 ⋅ Twitter (@nahamike01) ⋅ MikeR
@online{miker:20211216:spiderrat:e0c4858,
author = {MikeR},
title = {{Tweet on SPIDERRAT malware used by CIRCUIT PANDA}},
date = {2021-12-16},
organization = {Twitter (@nahamike01)},
url = {https://twitter.com/nahamike01/status/1471496800582664193?s=20},
language = {English},
urldate = {2022-01-17}
}
Tweet on SPIDERRAT malware used by CIRCUIT PANDA
SPIDERPIG RAT |
2021-12-12 ⋅ Cyber And Ramen blog ⋅ Mike R
@online{r:20211212:more:9f9c952,
author = {Mike R},
title = {{More Flagpro, More Problems}},
date = {2021-12-12},
organization = {Cyber And Ramen blog},
url = {https://cyberandramen.net/2021/12/12/more-flagpro-more-problems/},
language = {English},
urldate = {2022-04-05}
}
More Flagpro, More Problems
Flagpro |
2021-10-08 ⋅ NTT ⋅ Hiroki Hada, Rintaro Koike, Fumio Ozawa
@online{hada:20211008:malware:bfcbd46,
author = {Hiroki Hada and Rintaro Koike and Fumio Ozawa},
title = {{Malware Flagpro used by targeted attack group BlackTech}},
date = {2021-10-08},
organization = {NTT},
url = {https://insight-jp.nttsecurity.com/post/102h7vx/blacktechflagpro},
language = {Japanese},
urldate = {2021-10-24}
}
Malware Flagpro used by targeted attack group BlackTech
Flagpro |
2021-10-07 ⋅ VB Localhost ⋅ Sveva Vittoria Scenarelli, Adam Prescott
@techreport{scenarelli:20211007:back:d7e0e71,
author = {Sveva Vittoria Scenarelli and Adam Prescott},
title = {{Back to Black(Tech): an analysis of recent BlackTech operations and an open directory full of exploits}},
date = {2021-10-07},
institution = {VB Localhost},
url = {https://vblocalhost.com/uploads/VB2021-50.pdf},
language = {English},
urldate = {2022-06-29}
}
Back to Black(Tech): an analysis of recent BlackTech operations and an open directory full of exploits
Flagpro |
2021-09-01 ⋅ YouTube (Black Hat) ⋅ Aragorn Tseng, Charles Li
@online{tseng:20210901:mem2img:7817a5d,
author = {Aragorn Tseng and Charles Li},
title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}},
date = {2021-09-01},
organization = {YouTube (Black Hat)},
url = {https://www.youtube.com/watch?v=6SDdUVejR2w},
language = {English},
urldate = {2021-09-12}
}
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear |
2021-05-07 ⋅ TEAMT5 ⋅ Aragorn Tseng, Charles Li
@techreport{tseng:20210507:mem2img:494799d,
author = {Aragorn Tseng and Charles Li},
title = {{Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network}},
date = {2021-05-07},
institution = {TEAMT5},
url = {https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf},
language = {English},
urldate = {2021-09-12}
}
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear |
2021-04-13 ⋅ Twitter (@ESETresearch) ⋅ ESET Research
@online{research:20210413:tscookie:affc5a0,
author = {ESET Research},
title = {{Tweet on TSCookie for FreeBSD platform}},
date = {2021-04-13},
organization = {Twitter (@ESETresearch)},
url = {https://twitter.com/ESETresearch/status/1382054011264700416},
language = {English},
urldate = {2021-04-14}
}
Tweet on TSCookie for FreeBSD platform
TSCookie |
2021-02-28 ⋅ PWC UK ⋅ PWC UK
@techreport{uk:20210228:cyber:bd780cd,
author = {PWC UK},
title = {{Cyber Threats 2020: A Year in Retrospect}},
date = {2021-02-28},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf},
language = {English},
urldate = {2021-03-04}
}
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team |
2021-02-11 ⋅ Cyber And Ramen blog ⋅ Mike R
@online{r:20210211:blacktech:829b971,
author = {Mike R},
title = {{BlackTech Updates Elf-Plead Backdoor}},
date = {2021-02-11},
organization = {Cyber And Ramen blog},
url = {https://cyberandramen.net/2021/02/11/blacktech-updates-elf-plead-backdoor/},
language = {English},
urldate = {2022-04-05}
}
BlackTech Updates Elf-Plead Backdoor
PLEAD |
2020-12-24 ⋅ IronNet ⋅ Adam Hlavek
@online{hlavek:20201224:china:723bed3,
author = {Adam Hlavek},
title = {{China cyber attacks: the current threat landscape}},
date = {2020-12-24},
organization = {IronNet},
url = {https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape},
language = {English},
urldate = {2021-01-01}
}
China cyber attacks: the current threat landscape
PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti |
2020-12-21 ⋅ Intezer ⋅ Intezer
@online{intezer:20201221:top:9529707,
author = {Intezer},
title = {{Top Linux Cloud Threats of 2020}},
date = {2020-12-21},
organization = {Intezer},
url = {https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/},
language = {English},
urldate = {2020-12-26}
}
Top Linux Cloud Threats of 2020
AgeLocker AnchorDNS Blackrota Cloud Snooper Dacls Doki FritzFrog IPStorm Kaiji Kinsing NOTROBIN Penquin Turla PLEAD Prometei RansomEXX Stantinko TeamTNT TSCookie WellMail elf.wellmess TeamTNT |
2020-12-19 ⋅ Cyber And Ramen blog ⋅ Mike R
@online{r:20201219:persistence:b9043d9,
author = {Mike R},
title = {{Persistence Pays Off: A Brief Look at BlackTech’s 2020}},
date = {2020-12-19},
organization = {Cyber And Ramen blog},
url = {https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020},
language = {English},
urldate = {2021-01-01}
}
Persistence Pays Off: A Brief Look at BlackTech’s 2020
PLEAD TSCookie PLEAD |
2020-11-16 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20201116:elfplead:3bb79c4,
author = {Shusei Tomonaga},
title = {{ELF_PLEAD - Linux Malware Used by BlackTech}},
date = {2020-11-16},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html},
language = {English},
urldate = {2020-11-17}
}
ELF_PLEAD - Linux Malware Used by BlackTech
PLEAD |
2020-10-08 ⋅ ZDNet ⋅ Charlie Osborne
@online{osborne:20201008:waterbear:9d810b3,
author = {Charlie Osborne},
title = {{Waterbear malware used in attack wave against government agencies}},
date = {2020-10-08},
organization = {ZDNet},
url = {https://www.zdnet.com/article/waterbear-malware-used-in-attack-wave-against-government-agencies/},
language = {English},
urldate = {2021-04-20}
}
Waterbear malware used in attack wave against government agencies
Waterbear |
2020-09-29 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20200929:palmerworm:4a96e3b,
author = {Threat Hunter Team},
title = {{Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors}},
date = {2020-09-29},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt},
language = {English},
urldate = {2020-10-04}
}
Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors
KIVARS PLEAD BlackTech |
2020-08-19 ⋅ TEAMT5 ⋅ TeamT5
@online{teamt5:20200819:0819:e955419,
author = {TeamT5},
title = {{調查局 08/19 公布中國對台灣政府機關駭侵事件說明}},
date = {2020-08-19},
organization = {TEAMT5},
url = {https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/},
language = {Chinese},
urldate = {2021-05-03}
}
調查局 08/19 公布中國對台灣政府機關駭侵事件說明
Cobalt Strike Waterbear |
2020-05-01 ⋅ Macnica Networks ⋅ TeamT5, Macnica Networks
@techreport{teamt5:20200501:cyber:70c9cbc,
author = {TeamT5 and Macnica Networks},
title = {{Cyber Espionage Tradecraft in the Real World Adversaries targeting Japan in the second half of 2019}},
date = {2020-05-01},
institution = {Macnica Networks},
url = {https://www.macnica.net/pdf/mpressioncss_ta_report_2019_4_en.pdf},
language = {English},
urldate = {2021-02-26}
}
Cyber Espionage Tradecraft in the Real World Adversaries targeting Japan in the second half of 2019
TSCookie LODEINFO |
2020-04-15 ⋅ TEAMT5 ⋅ TeamT5
@online{teamt5:20200415:huapi:c45f871,
author = {TeamT5},
title = {{中國駭客 HUAPI 的惡意後門程式 BiFrost 分析}},
date = {2020-04-15},
organization = {TEAMT5},
url = {https://teamt5.org/tw/posts/technical-analysis-on-backdoor-bifrost-of-the-Chinese-apt-group-huapi/},
language = {Chinese (Traditional)},
urldate = {2021-03-31}
}
中國駭客 HUAPI 的惡意後門程式 BiFrost 分析
Bifrost |
2020-03-05 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20200305:elftscookie:f49b873,
author = {Shusei Tomonaga},
title = {{ELF_TSCookie - Linux Malware Used by BlackTech}},
date = {2020-03-05},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html},
language = {English},
urldate = {2020-03-09}
}
ELF_TSCookie - Linux Malware Used by BlackTech
TSCookie |
2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f,
author = {CrowdStrike},
title = {{2020 CrowdStrike Global Threat Report}},
date = {2020-03-04},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf},
language = {English},
urldate = {2020-07-24}
}
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER |
2020-01-17 ⋅ JPCERT/CC ⋅ Takayoshi Shiigi
@techreport{shiigi:20200117:looking:bf71db1,
author = {Takayoshi Shiigi},
title = {{Looking back on the incidents in 2019}},
date = {2020-01-17},
institution = {JPCERT/CC},
url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf},
language = {English},
urldate = {2020-04-06}
}
Looking back on the incidents in 2019
TSCookie NodeRAT Emotet PoshC2 Quasar RAT |
2020-01-14 ⋅ TEAMT5 ⋅ CiYi Yu, Aragorn Tseng
@techreport{yu:20200114:evil:20b2d83,
author = {CiYi Yu and Aragorn Tseng},
title = {{Evil Hidden in Shellcode: The Evolution of Malware DBGPRINT}},
date = {2020-01-14},
institution = {TEAMT5},
url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf},
language = {English},
urldate = {2021-04-21}
}
Evil Hidden in Shellcode: The Evolution of Malware DBGPRINT
Waterbear |
2020-01-03 ⋅ DayDayNews ⋅ DayDayNews
@online{daydaynews:20200103:waterbear:b4818c4,
author = {DayDayNews},
title = {{Waterbear, a cyber espionage virus, has a new variant with its own anti-virus function}},
date = {2020-01-03},
organization = {DayDayNews},
url = {https://daydaynews.cc/zh-tw/technology/297265.html},
language = {Chinese},
urldate = {2021-04-20}
}
Waterbear, a cyber espionage virus, has a new variant with its own anti-virus function
Waterbear |
2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca,
author = {Chi-en Shen and Oleg Bondarenko},
title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}},
date = {2019-12-12},
organization = {FireEye},
url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko},
language = {English},
urldate = {2020-04-16}
}
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech |
2019-12-11 ⋅ Trend Micro ⋅ Vickie Su, Anita Hsieh, Dove Chiu
@online{su:20191211:waterbear:3538eb5,
author = {Vickie Su and Anita Hsieh and Dove Chiu},
title = {{Waterbear Returns, Uses API Hooking to Evade Security}},
date = {2019-12-11},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html},
language = {English},
urldate = {2021-04-20}
}
Waterbear Returns, Uses API Hooking to Evade Security
Waterbear |
2019-11-22 ⋅ SANS Cyber Security Summit ⋅ Sveva Vittoria Scenarelli, Rachel Mullan
@techreport{scenarelli:20191122:need:00f7cef,
author = {Sveva Vittoria Scenarelli and Rachel Mullan},
title = {{Need for PLEAD: BlackTech Pursuit}},
date = {2019-11-22},
institution = {SANS Cyber Security Summit},
url = {https://web.archive.org/web/20200229012206/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf},
language = {English},
urldate = {2021-01-25}
}
Need for PLEAD: BlackTech Pursuit
BLUETHER PLEAD |
2019-11-21 ⋅ JPCERT/CC ⋅ 田中 信太郎(Shintaro Tanaka)
@online{tanaka:20191121:icondown:cb082bf,
author = {田中 信太郎(Shintaro Tanaka)},
title = {{IconDown – Downloader Used by BlackTech}},
date = {2019-11-21},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html},
language = {English},
urldate = {2020-01-08}
}
IconDown – Downloader Used by BlackTech
IconDown |
2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser
@techreport{vanderlee:20191119:achievement:6be19eb,
author = {Kelli Vanderlee and Nalani Fraser},
title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}},
date = {2019-11-19},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf},
language = {English},
urldate = {2021-03-02}
}
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell |
2019-10-01 ⋅ Macnica Networks ⋅ Macnica Networks
@techreport{networks:20191001:trends:30fb713,
author = {Macnica Networks},
title = {{Trends in Cyber Espionage Targeting Japan 1st Half of 2019}},
date = {2019-10-01},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
Trends in Cyber Espionage Targeting Japan 1st Half of 2019
PLEAD TSCookie Datper PLEAD |
2019-09-18 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20190918:malware:67390e7,
author = {Shusei Tomonaga},
title = {{Malware Used by BlackTech after Network Intrusion}},
date = {2019-09-18},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html},
language = {English},
urldate = {2019-11-16}
}
Malware Used by BlackTech after Network Intrusion
PLEAD |
2019-08-01 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20190801:trends:5e25d5b,
author = {GReAT},
title = {{APT trends report Q2 2019}},
date = {2019-08-01},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q2-2019/91897/},
language = {English},
urldate = {2020-08-13}
}
APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy |
2019-05-30 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20190530:bug:cf70c8d,
author = {Shusei Tomonaga},
title = {{Bug in Malware “TSCookie” - Fails to Read Configuration - (Update)}},
date = {2019-05-30},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2019/05/tscookie3.html},
language = {English},
urldate = {2020-01-13}
}
Bug in Malware “TSCookie” - Fails to Read Configuration - (Update)
PLEAD |
2019-05-14 ⋅ ESET Research ⋅ Anton Cherepanov
@online{cherepanov:20190514:plead:3140588,
author = {Anton Cherepanov},
title = {{Plead malware distributed via MitM attacks at router level, misusing ASUS WebStorage}},
date = {2019-05-14},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/},
language = {English},
urldate = {2019-11-14}
}
Plead malware distributed via MitM attacks at router level, misusing ASUS WebStorage
PLEAD BlackTech |
2019-04-01 ⋅ Macnica Networks ⋅ Macnica Networks
@techreport{networks:20190401:trends:cf738dc,
author = {Macnica Networks},
title = {{Trends in Cyber Espionage Targeting Japan 2nd Half of 2018}},
date = {2019-04-01},
institution = {Macnica Networks},
url = {https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf},
language = {Japanese},
urldate = {2021-03-02}
}
Trends in Cyber Espionage Targeting Japan 2nd Half of 2018
Anel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy |
2018-11-12 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20181112:bug:fe13af3,
author = {Shusei Tomonaga},
title = {{Bug in Malware “TSCookie” - Fails to Read Configuration}},
date = {2018-11-12},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html},
language = {English},
urldate = {2019-10-28}
}
Bug in Malware “TSCookie” - Fails to Read Configuration
PLEAD |
2018-07-09 ⋅ ESET Research ⋅ Anton Cherepanov
@online{cherepanov:20180709:certificates:ae214b6,
author = {Anton Cherepanov},
title = {{Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign}},
date = {2018-07-09},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/},
language = {English},
urldate = {2019-11-14}
}
Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign
PLEAD BlackTech |
2018-06-08 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20180608:plead:046d5bc,
author = {Shusei Tomonaga},
title = {{PLEAD Downloader Used by BlackTech}},
date = {2018-06-08},
organization = {JPCERT/CC},
url = {https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html},
language = {English},
urldate = {2020-01-06}
}
PLEAD Downloader Used by BlackTech
PLEAD |
2018-03-06 ⋅ Shusei Tomonaga
@online{tomonaga:20180306:malware:f5fea73,
author = {Shusei Tomonaga},
title = {{Malware “TSCookie”}},
date = {2018-03-06},
url = {http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html},
language = {English},
urldate = {2020-01-07}
}
Malware “TSCookie”
PLEAD |
2018-01-10 ⋅ Freebuf ⋅ Tencent Computer Manager
@online{manager:20180110:analysis:3a5fe83,
author = {Tencent Computer Manager},
title = {{Analysis of BlackTech's latest APT attack}},
date = {2018-01-10},
organization = {Freebuf},
url = {http://www.freebuf.com/column/159865.html},
language = {English},
urldate = {2020-01-08}
}
Analysis of BlackTech's latest APT attack
PLEAD |
2017-06-22 ⋅ Trend Micro ⋅ Lenart Bermejo, Razor Huang, CH Lei
@online{bermejo:20170622:trail:ba78447,
author = {Lenart Bermejo and Razor Huang and CH Lei},
title = {{The Trail of BlackTech’s Cyber Espionage Campaigns}},
date = {2017-06-22},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html},
language = {English},
urldate = {2021-01-29}
}
The Trail of BlackTech’s Cyber Espionage Campaigns
bifrose KIVARS PLEAD |
2017-06-22 ⋅ Trend Micro ⋅ Lenart Bermejo, Razor Huang, CH Lei
@online{bermejo:20170622:following:7126b3b,
author = {Lenart Bermejo and Razor Huang and CH Lei},
title = {{Following the Trail of BlackTech’s Cyber Espionage Campaigns}},
date = {2017-06-22},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/},
language = {English},
urldate = {2019-12-24}
}
Following the Trail of BlackTech’s Cyber Espionage Campaigns
PLEAD BlackTech |
2017-06 ⋅ Trend Micro ⋅ Lenart Bermejo, Razor Huang, CH Lei
@techreport{bermejo:201706:following:61e6dae,
author = {Lenart Bermejo and Razor Huang and CH Lei},
title = {{Following the Trail of BlackTech’s Cyber Espionage Campaigns}},
date = {2017-06},
institution = {Trend Micro},
url = {https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf},
language = {English},
urldate = {2020-01-07}
}
Following the Trail of BlackTech’s Cyber Espionage Campaigns
PLEAD |
2016-04-13 ⋅ FireEye ⋅ Daniel Regalado, Taha Karim, Varun Jian, Erye Hernandez
@online{regalado:20160413:ghosts:5d2944f,
author = {Daniel Regalado and Taha Karim and Varun Jian and Erye Hernandez},
title = {{Ghosts in the Endpoint}},
date = {2016-04-13},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html},
language = {English},
urldate = {2020-04-20}
}
Ghosts in the Endpoint
PLEAD |
2014-08-28 ⋅ Trend Micro ⋅ Christopher Daniel So
@online{so:20140828:bifrose:e63b72a,
author = {Christopher Daniel So},
title = {{BIFROSE Now More Evasive Through Tor, Used for Targeted Attack}},
date = {2014-08-28},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/bifrose-now-more-evasive-through-tor-used-for-targeted-attack/},
language = {English},
urldate = {2021-01-27}
}
BIFROSE Now More Evasive Through Tor, Used for Targeted Attack
bifrose |
2014-07-02 ⋅ Trend Micro ⋅ Kervin Alintanahin, Ronnie Giagone
@online{alintanahin:20140702:kivars:4fe6877,
author = {Kervin Alintanahin and Ronnie Giagone},
title = {{KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”}},
date = {2014-07-02},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/},
language = {English},
urldate = {2020-06-19}
}
KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”
FakeWord KIVARS PLEAD Poison RAT Zeus |