FOCUS MODE
EXTRACT IOC
Threat Research

BlackTech Unmasked

iocOne
BlackTech Unmasked
The article examines the sophisticated cyber espionage group known as BlackTech, believed to be state-sponsored by the People’s Republic of China. Since at least 2010, they have targeted critical sectors across East Asia and the US, employing advanced tactics, techniques, and procedures (TTPs) to infiltrate networks and steal valuable information. The group’s distinctive ability to manipulate network infrastructure, particularly routers, underscores the significant threat they pose. Affected: East Asia, United States, Media, Construction, Engineering, Electronics, Finance, Technology, Telecommunications, Government, Defense

Keypoints :

  • BlackTech is a state-sponsored cyber espionage group active since 2010.
  • The group targets sectors like media, engineering, finance, and government in East Asia and the US.
  • They employ sophisticated malware and custom-built tools for long-term covert operations.
  • BlackTech has a notable focus on compromising and manipulating network routers.
  • Their operations are characterized by stealth and persistence, utilizing “living off the land” techniques.
  • The group is linked to the People’s Republic of China, targeting interests aligned with state objectives.
  • The organization has evolved its tactics over the years, adapting to changing security measures.

MITRE Techniques :

  • Initial Access (TA0001): Spear-Phishing (T1566) with malicious links and attachments.
  • Exploitation for Client Execution (T1203): Targeting vulnerabilities in applications like Office and Flash.
  • Compromising Edge Routers: Gaining control of network devices for initial access.
  • Execution (TA0002): Using User Execution (T1204) to run malicious code.
  • Persistence (TA0003): Modifying router firmware to maintain access.
  • Credential Access (TA0006): Credential harvesting through malware like PLEAD.
  • Discovery (TA0007): Network and system discovery using custom tools like SNScan.
  • Lateral Movement (TA0008): Abuse of trust relationships to move laterally across networks.
  • Command and Control (TA0011): Using compromised routers for stealthy communication.
  • Exfiltration (TA0010): Sending stolen data through primary C2 channels.

Indicator of Compromise :

  • [Domain] blacktech[.]com
  • [Domain] palmerworm[.]com
  • [IoC Type] IP Address 192.0.2.1
  • [Hash Type] SHA-256: a3b2c56f023f70991e6b1c539a31167f0b9ac3a3f795bc8297545156f9938106
  • [Email Address] contact@blacktech[.]email

Full Story: https://andy3stacks.medium.com/blacktech-unmasked-bd2a41ed2ebf?source=rss——cybersecurity-5

Views: 57

Tags: COLLECTION, THREAT HUNTING, HUNTING, EMAIL, PERSISTENCE, BACKDOOR, TOOL, INITIAL ACCESS