Skip to content

G0098 BlackTech

BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia–particularly Taiwan, Japan, and Hong Kong–and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.143

Item Value
ID G0098
Associated Names Palmerworm
Version 2.0
Created 05 May 2020
Last Modified 06 April 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Palmerworm 42

Techniques Used

Domain ID Name Use
enterprise T1190 Exploit Public-Facing Application BlackTech has exploited a buffer overflow vulnerability in Microsoft Internet Information Services (IIS) 6.0, CVE-2017-7269, in order to establish a new HTTP or command and control (C2) server.1
enterprise T1203 Exploitation for Client Execution BlackTech has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities CVE-2012-0158, CVE-2014-6352, CVE-2017-0199, and Adobe Flash CVE-2015-5119.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading BlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories.6
enterprise T1036 Masquerading -
enterprise T1036.002 Right-to-Left Override BlackTech has used right-to-left-override to obfuscate the filenames of malicious e-mail attachments.1
enterprise T1106 Native API BlackTech has used built-in API functions.2
enterprise T1046 Network Service Discovery BlackTech has used the SNScan tool to find other potential targets on victim networks.4
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool BlackTech has obtained and used tools such as Putty, SNScan, and PsExec for its operations.4
enterprise T1588.003 Code Signing Certificates BlackTech has used stolen code-signing certificates for its malicious payloads.4
enterprise T1588.004 Digital Certificates BlackTech has used valid, stolen digital certificates for some of their malware and tools.5
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment BlackTech has used spearphishing e-mails with malicious password-protected archived files (ZIP or RAR) to deliver malware.17
enterprise T1566.002 Spearphishing Link BlackTech has used spearphishing e-mails with links to cloud services to deliver malware.1
enterprise T1021 Remote Services -
enterprise T1021.004 SSH BlackTech has used Putty for remote access.4
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link BlackTech has used e-mails with malicious links to lure victims into installing malware.1
enterprise T1204.002 Malicious File BlackTech has used e-mails with malicious documents to lure victims into installing malware.17

Software

ID Name References Techniques
S0696 Flagpro 7 Web Protocols:Application Layer Protocol Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Visual Basic:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Exfiltration Over C2 Channel Indicator Removal Ingress Tool Transfer Masquerading Native API Network Share Discovery Obfuscated Files or Information Local Groups:Permission Groups Discovery Spearphishing Attachment:Phishing Process Discovery Remote System Discovery Scheduled Transfer System Language Discovery:System Location Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Malicious File:User Execution
S0437 Kivars 14 File and Directory Discovery Hidden Window:Hide Artifacts File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Remote Services Screen Capture
S0435 PLEAD 1964 Web Protocols:Application Layer Protocol Application Window Discovery Windows Command Shell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Credentials from Password Stores Junk Data:Data Obfuscation Symmetric Cryptography:Encrypted Channel File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Native API Process Discovery Proxy Malicious Link:User Execution Malicious File:User Execution
S0029 PsExec 4 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0436 TSCookie 8 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel File and Directory Discovery Ingress Tool Transfer Non-Application Layer Protocol Process Discovery Process Injection Proxy System Network Configuration Discovery Malicious Link:User Execution
S0579 Waterbear 6 Deobfuscate/Decode Files or Information DLL Side-Loading:Hijack Execution Flow Indicator Blocking:Impair Defenses Ingress Tool Transfer Modify Registry Native API Obfuscated Files or Information Indicator Removal from Tools:Obfuscated Files or Information Process Discovery Process Injection Thread Execution Hijacking:Process Injection Query Registry Security Software Discovery:Software Discovery System Network Connections Discovery

References

  1. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020. 

  2. Demboski, M., et al. (2021, October 26). China cyber attacks: the current threat landscape. Retrieved March 25, 2022. 

  3. Lee, Y. (2020, August 19). Taiwan says China behind cyberattacks on government agencies, emails. Retrieved April 6, 2022. 

  4. Threat Intelligence. (2020, September 29). Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors. Retrieved March 25, 2022. 

  5. Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign. Retrieved May 6, 2020. 

  6. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021. 

  7. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022. 

  8. Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020. 

  9. Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.