June 27, 2017
By Larry Loeb 2 min read

A very aggressive cybergang has been targeting Asian companies by repurposing legitimate tools and exploiting security vulnerabilities in outdated software. According to the International Business Times, the group, known as BlackTech, is linked to three major cyber espionage campaigns against organizations in Taiwan, Japan and Hong Kong.

Hacking Team Tools Repurposed for Cyber Espionage

BlackTech created its own custom malware tools, which included variants of legitimate solutions developed by the Hacking Team, an Italian cybersecurity manufacturer that distributes surveillance capabilities primarily to government agencies. Additionally, the threat actors exploited flaws in outdated software, namely an Adobe Flash vulnerability (CVE-2015-5119) that was leaked when the Hacking Team suffered a breach last year.

As Trend Micro reported, BlackTech is associated with three cyber espionage campaigns: PLEAD, Shrouded Crossbow and Waterbear.

The PLEAD campaign, which has been active since 2012, aims to steal confidential documents belonging to government agencies and private organizations in Taiwan. Shrouded Crossbow, first observed in 2010, targets enterprises and government contractors in the consumer industries.

Finally, Waterbear uses a modular approach, the first part of which is a loader component executable that connects with the command-and-control (C&C) server. Waterbear then downloads the main backdoor and loads it into the victim system’s memory.

BlackTech’s Modus Operandi

Trend Micro noted that all three aforementioned campaigns used very similar methods and the same C&C servers. In other words, BlackTech left its fingerprints all over the scene of the crime.

In addition to leaked Hacking Team tools, BlackTech generally relies on security holes in unpatched Windows systems and solutions designed to evade detection from signature-based antivirus programs. The group also uses sophisticated malware techniques such as backdoor implants and custom data exfiltration methods.

These cyber espionage campaigns remain active and dangerous. Security professionals must proactively harden their perimeters to deal with this sophisticated threat.

 |  |  |  | 
Larry Loeb
Principal, PBC Enterprises

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE mag...

More from

Risk Management   March 28, 2023

Remote Employees: Update Your Routers (and More WFH IT Tips)

As a business owner or manager, you must ensure your employees have the right tools and resources to do their jobs well — especially with more people working from home. And IT infrastructure is one of the most important considerations regarding remote work. However, the truth is that most employees don’t think about their IT infrastructure until something goes wrong. In many cases, this can leave an employee stranded and unable to complete their tasks. In a worst-case scenario, this…

News   March 27, 2023

More School Closings Coast-to-Coast Due to Ransomware

Instead of snow days, students now get cyber days off. Cyberattacks are affecting school districts of all sizes from coast-to-coast. Some schools even completely shut down due to the attacks. The federal government recently warned that K-12 schools face a growing threat from cyber groups. According to the FBI, school districts often have limited cybersecurity protections, which makes them even more vulnerable. The FBI also says it anticipates the number of threats to increase. In a recent warning, the nation’s…

Risk Management   March 27, 2023

The Role of Human Resources in Cybersecurity

The human resources (HR) department is an integral part of an organization. They work with all departments with a wider reach than even IT. As a highly visible department, HR can support and improve an organization’s security posture through employee training. Their access to employees at the start of employment is an opportunity to lay a foundation for a culture of risk awareness. HR departments do not typically include cybersecurity risk awareness training with new hire onboarding, but it’s something…

Risk Management   March 24, 2023

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature