SYMBOLCOMMON_NAMEaka. SYNONYMS

BlackTech  (Back to overview)

aka: CIRCUIT PANDA, Temp.Overboard, HUAPI

BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology. Following their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns: PLEAD, Shrouded Crossbow, and of late, Waterbear. PLEAD is an information theft campaign with a penchant for confidential documents. Active since 2012, it has so far targeted Taiwanese government agencies and private organizations. PLEAD’s toolset includes the self-named PLEAD backdoor and the DRIGO exfiltration tool. PLEAD uses spear-phishing emails to deliver and install their backdoor, either as an attachment or through links to cloud storage services. Some of the cloud storage accounts used to deliver PLEAD are also used as drop off points for exfiltrated documents stolen by DRIGO. PLEAD actors use a router scanner tool to scan for vulnerable routers, after which the attackers will enable the router’s VPN feature then register a machine as virtual server. This virtual server will be used either as a C&C server or an HTTP server that delivers PLEAD malware to their targets.


Associated Families
elf.tscookie win.bluether win.icondown win.plead

References
2020-05-26TeamT5, Macnica Networks
@techreport{teamt5:20200526:2019:70c9cbc, author = {TeamT5 and Macnica Networks}, title = {{日本を狙うサイバーエスピオナージの動向 2019年度下期 (The reality of targeted attacks - Countermeasure approach)}}, date = {2020-05-26}, institution = {}, url = {https://www.macnica.net/file/mpressioncss_ta_report_2019_4.pdf}, language = {Japanese}, urldate = {2020-06-02} } 日本を狙うサイバーエスピオナージの動向 2019年度下期 (The reality of targeted attacks - Countermeasure approach)
TSCookie LODEINFO
2020-03-05JPCERT/CCShusei Tomonaga
@online{tomonaga:20200305:elftscookie:f49b873, author = {Shusei Tomonaga}, title = {{ELF_TSCookie - Linux Malware Used by BlackTech}}, date = {2020-03-05}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html}, language = {English}, urldate = {2020-03-09} } ELF_TSCookie - Linux Malware Used by BlackTech
TSCookie
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-01-17JPCERT/CCTakayoshi Shiigi
@techreport{shiigi:20200117:looking:bf71db1, author = {Takayoshi Shiigi}, title = {{Looking back on the incidents in 2019}}, date = {2020-01-17}, institution = {JPCERT/CC}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf}, language = {English}, urldate = {2020-04-06} } Looking back on the incidents in 2019
TSCookie NodeRAT Emotet PoshC2 Quasar RAT
2020-01-14TEAMT5CiYi Yu, Aragorn Tseng
@techreport{yu:20200114:evil:20b2d83, author = {CiYi Yu and Aragorn Tseng}, title = {{Evil Hidden in Shellcode: The Evolution of Malware DBGPRINT}}, date = {2020-01-14}, institution = {TEAMT5}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf}, language = {English}, urldate = {2020-04-13} } Evil Hidden in Shellcode: The Evolution of Malware DBGPRINT
PLEAD
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-11-22SANS Cyber Security SummitSveva Vittoria Scenarelli, Rachel Mullan
@techreport{scenarelli:20191122:need:00f7cef, author = {Sveva Vittoria Scenarelli and Rachel Mullan}, title = {{Need for PLEAD: BlackTech Pursuit}}, date = {2019-11-22}, institution = {SANS Cyber Security Summit}, url = {https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf}, language = {English}, urldate = {2020-01-20} } Need for PLEAD: BlackTech Pursuit
BLUETHER PLEAD
2019-11-21JPCERT/CC田中 信太郎(Shintaro Tanaka)
@online{tanaka:20191121:icondown:cb082bf, author = {田中 信太郎(Shintaro Tanaka)}, title = {{IconDown – Downloader Used by BlackTech}}, date = {2019-11-21}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html}, language = {English}, urldate = {2020-01-08} } IconDown – Downloader Used by BlackTech
IconDown
2019-09-18JPCERT/CCShusei Tomonaga
@online{tomonaga:20190918:malware:67390e7, author = {Shusei Tomonaga}, title = {{Malware Used by BlackTech after Network Intrusion}}, date = {2019-09-18}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html}, language = {English}, urldate = {2019-11-16} } Malware Used by BlackTech after Network Intrusion
PLEAD
2019-05-30JPCERT/CCShusei Tomonaga
@online{tomonaga:20190530:bug:cf70c8d, author = {Shusei Tomonaga}, title = {{Bug in Malware “TSCookie” - Fails to Read Configuration - (Update)}}, date = {2019-05-30}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2019/05/tscookie3.html}, language = {English}, urldate = {2020-01-13} } Bug in Malware “TSCookie” - Fails to Read Configuration - (Update)
PLEAD
2019-05-14ESET ResearchAnton Cherepanov
@online{cherepanov:20190514:plead:3140588, author = {Anton Cherepanov}, title = {{Plead malware distributed via MitM attacks at router level, misusing ASUS WebStorage}}, date = {2019-05-14}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/}, language = {English}, urldate = {2019-11-14} } Plead malware distributed via MitM attacks at router level, misusing ASUS WebStorage
PLEAD BlackTech
2018-11-12JPCERT/CCShusei Tomonaga
@online{tomonaga:20181112:bug:fe13af3, author = {Shusei Tomonaga}, title = {{Bug in Malware “TSCookie” - Fails to Read Configuration}}, date = {2018-11-12}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html}, language = {English}, urldate = {2019-10-28} } Bug in Malware “TSCookie” - Fails to Read Configuration
PLEAD
2018-07-09ESET ResearchAnton Cherepanov
@online{cherepanov:20180709:certificates:ae214b6, author = {Anton Cherepanov}, title = {{Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign}}, date = {2018-07-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/}, language = {English}, urldate = {2019-11-14} } Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign
PLEAD BlackTech
2018-06-08JPCERT/CCShusei Tomonaga
@online{tomonaga:20180608:plead:046d5bc, author = {Shusei Tomonaga}, title = {{PLEAD Downloader Used by BlackTech}}, date = {2018-06-08}, organization = {JPCERT/CC}, url = {https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html}, language = {English}, urldate = {2020-01-06} } PLEAD Downloader Used by BlackTech
PLEAD
2018-03-06Shusei Tomonaga
@online{tomonaga:20180306:malware:f5fea73, author = {Shusei Tomonaga}, title = {{Malware “TSCookie”}}, date = {2018-03-06}, url = {http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html}, language = {English}, urldate = {2020-01-07} } Malware “TSCookie”
PLEAD
2018-01-10FreebufTencent Computer Manager
@online{manager:20180110:analysis:3a5fe83, author = {Tencent Computer Manager}, title = {{Analysis of BlackTech's latest APT attack}}, date = {2018-01-10}, organization = {Freebuf}, url = {http://www.freebuf.com/column/159865.html}, language = {English}, urldate = {2020-01-08} } Analysis of BlackTech's latest APT attack
PLEAD
2017-06-22Trend MicroLenart Bermejo, Razor Huang, CH Lei
@online{bermejo:20170622:following:7126b3b, author = {Lenart Bermejo and Razor Huang and CH Lei}, title = {{Following the Trail of BlackTech’s Cyber Espionage Campaigns}}, date = {2017-06-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/}, language = {English}, urldate = {2019-12-24} } Following the Trail of BlackTech’s Cyber Espionage Campaigns
PLEAD BlackTech
2017-06Trend MicroLenart Bermejo, Razor Huang, CH Lei
@techreport{bermejo:201706:following:61e6dae, author = {Lenart Bermejo and Razor Huang and CH Lei}, title = {{Following the Trail of BlackTech’s Cyber Espionage Campaigns}}, date = {2017-06}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf}, language = {English}, urldate = {2020-01-07} } Following the Trail of BlackTech’s Cyber Espionage Campaigns
PLEAD
2016-04-13FireEyeDaniel Regalado, Taha Karim, Varun Jian, Erye Hernandez
@online{regalado:20160413:ghosts:5d2944f, author = {Daniel Regalado and Taha Karim and Varun Jian and Erye Hernandez}, title = {{Ghosts in the Endpoint}}, date = {2016-04-13}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html}, language = {English}, urldate = {2020-04-20} } Ghosts in the Endpoint
PLEAD
2014-07-02Trend MicroKervin Alintanahin, Ronnie Giagone
@online{alintanahin:20140702:kivars:4fe6877, author = {Kervin Alintanahin and Ronnie Giagone}, title = {{KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”}}, date = {2014-07-02}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/}, language = {English}, urldate = {2020-06-19} } KIVARS With Venom: Targeted Attacks Upgrade with 64-bit “Support”
PLEAD Zeus

Credits: MISP Project