# Report on APT Attacks by BlackTech ### NTT Security Holdings Corporation Japan SOC ----- ## Objective of Report NTT Security Holdings Corporation Japan Security Operation Center provides Managed Security Service (MSS). We monitor our client systems round-the clock, find security incidents promptly and provide best solutions. We perform various research on latest threats and output the achievements as black lists, custom signatures and Indicators of Compromise (IoCs). These knowledges are also used by our SOC analysts. Our SOC has been monitoring attacks by one of well-known APT groups, BlackTech. Though many organizations have been reported the malware used by BlackTech, our SOC publishes this whitepaper discussing the latest attacks by BlackTech based on the actual attacks we monitored in 2021. We expect that this whitepaper contributes to better defense against attacks from BlackTech. **1** ----- ## Table of Contents ##### Objective of Report ........................................................ 1 Preface ........................................................................ 3 1. Introduction ............................................................. 4 2. Attack Overview ........................................................ 5 2.1. Spear Phishing ................................................................................. 5 2.2. Vulnerability Exploitation (on server) ........................................................ 7 2.3. Malware Families ............................................................................... 8 ##### 3. Malware Analysis ...................................................... 9 3.1. Flagpro ........................................................................................... 9 3.2. SelfMake Service .............................................................................. 13 3.3. SelfMake Loader .............................................................................. 14 3.4. HeavyROT Loader ............................................................................ 17 3.5. AresPYDoor .................................................................................... 22 3.6. Spider RAT ..................................................................................... 24 3.7. BTSDoor ........................................................................................ 31 3.8. Gh0stTimes .................................................................................... 33 3.9. TSCookie ....................................................................................... 37 3.10. ELF_TSCookie ................................................................................ 41 3.11. IamDown ........................................................................................ 44 3.12. ELF_Bifrose .................................................................................... 49 3.13. ELF_PLEAD .................................................................................... 53 ##### 4. Countermeasures .................................................... 57 5. Postface ................................................................ 59 6. About Report .......................................................... 60 7. References ............................................................ 61 8. Appendix ............................................................... 63 **2** ----- ## Preface NTT Security Holdings Corporation Japan Security Operation Center has been monitoring active attacks from APT group BlackTech. This report covers the following topics on the attacks based on our research. ⚫ Summary of attacks by BlackTech focusing on their initial attack vector, that are spear phishing emails and exploiting server vulnerabilities. ⚫ Result of analysis on the malware used by BlackTech. ⚫ Consideration on the logic to protect from attacks by BlackTech. Appendix contains the list of hash values that we obtained during our research. This would help to prevent infection or isolate the victims. **3** ----- ## 1. Introduction It is known that APT group BlackTech (also called as Palmerworm, Red Djinn, Earth Hundun or HUAPI) had started their activity at the latest 2012. They have been targeting organizations based in Eastern Asia, especially in Taiwan and Japan. Their main objective seems to steal sensitive information from target organizations. BlackTech utilizes various malware families. Some of them are publicly available (Bifrose or Gh0st RAT) and others are self-developed (TSCookie or PLEAD). They have kept developing new malwares, which means that they are actively working. Our SOC has observed attacks by BlackTech, but the number of attacks rapidly increased around 2020. Our SOC has observed they repeatedly attacked several organizations in telecommunication, defense and mass media industries. In many cases, they established their initial foothold in overseas branch office of Japanese companies, then intruded into mission critical system in headquarters. It is highly probable that BlackTech keep targeting Japanese companies, therefore implementing proper countermeasures both in remote office and headquarters is required to protect from their attacks. This whitepaper reviews and summarizes the BlackTech's attack campaigns and malware targeting Japanese organizations that our SOC observed in 2021. We hope that this content will help considering and implementing effective countermeasures to protect each organization. **4** ----- ## 2. Attack Overview Origins of BlackTech attacks targeting Japanese organizations are almost either of below. 1. Spear phishing 2. Vulnerability exploitation (on server) ### 2.1. Spear Phishing Most of the attacks we observed started with spear phishing. An attacker sends an email pretended to be sent from a business partner to a user. As soon as opening the attached file, the user is infected by malware. The mail body and attached file are so sophisticated that it is difficult for the user to feel odd at a glance. Our SOC has observed attacks that leveraged real internal document used in the target organization in the past. The attached file was either an executable file with double file extension or Microsoft Excel file in xlsm format. These files can be contained in an archive file including RAR format. The archive file is password-protected, and the password is included in the mail body. Our SOC had observed several xlsm files (also called as LAMICE [1]) and macros embedded on them were very similar. This suggests that all of these files were created by single tool. **5** ----- **Figure 1. Macro example BlackTech frequently uses** Interestingly, it is observed that APT group Blackgear had used very similar macro during their attacks. This implies that the tool that generate this macro could be shared among multiple APT groups or BlackTech and Blackgear are closely related. **6** ----- ### 2.2. Vulnerability Exploitation (on server) BlackTech has been abused various vulnerabilities in their attacks. According to the blog article by JPCERT/CC [2], there were many tools that can exploit various vulnerabilities on C&C server operated by BlackTech. It is also reported [3][4][5] that they had actually abused vulnerabilities on Microsoft Exchange Server. Successful exploitation results in malware execution. Using the malware, the attacker collects environmental information, repeats lateral movement, and go deeper into the target organization. It is also observed that they use certain malware family on different platforms. For example, they use ELF Bifrose on Linux environment and PE Bifrose on Windows environment. **7** ----- ### 2.3. Malware Families BlackTech utilize various malware families. The figure below summarizes the malware families that they use by attacking vectors. **Figure 2. Malware families used by BlackTech** **8** ----- ## 3. Malware Analysis ### 3.1. Flagpro Flagpro is malware used in initial phases of an attack to investigate a target environment and download and execute further malware [6][7]. Flagpro (v1.0) may have been used in attacks of October 2020, and the new Flagpro (v2.0) using the MFC (Microsoft Foundation Class) library may have been used after July 2021. The main functions of Flagpro are as follows. ⚫ Download and execute tool. ⚫ Execute OS commands and send their results. ⚫ Collect of authentication information stored in Windows and exfiltrate of collected information. #### 3.1.1. Use of COM object Flagpro uses IWebBrowser2 interface and other interfaces from Internet Explorer’s COM object to handle access to and from a C&C server. **Figure 3. Use of COM object for external access** **9** ----- #### 3.1.2. Auto close of dialog Flagpro automatically closes dialogs, which appear when accessing external sites, such as proxy authentication confirmation dialogs. We assume that the auto-close function was implemented to keep users from realizing that Flagpro has accessed an external site. #### 3.1.3. Inserting dummy codes Flagpro is obfuscated by inserting dummy code repeatedly. The obfuscation technique is often implemented in the malware used by BlackTech. **Figure 4. Insertion of dummy functions** **10** ----- #### 3.1.4. Control commands Control commands received from C&C server are encoded in Base64. Decoded commands used in Flagpro (v2.0) have the following format. **Figure 5. Flagpro command format** The Download Command format is shown in Figure 6, and consists of the string “Exec”, “Yes”, and the URL path to the download site. The string “Exec” is an activity flag, which must be present in both Download Command 1 and 2 in Figure 5 for the main process such as downloading and executing OS commands to take place. The string "Yes" is the execution flag; without it, the downloaded file will not be executed. **Figure 6. Download Command format** #### 3.1.5. C&C Communication Flagpro uses HTTP protocol to communicate with C&C server. As shown in Table 1, it switches the URL path for each communication purpose. In addition, when this malware sends the results of OS commands execution and collected authentication information, the contents are encoded in Base64 format and sent to the C&C server as URL parameter values. **11** ----- |Table 1. The URL paths and queries for each communication purpose|Col2| |---|---| |URL path and query Purpose|| |/index.html|Requesting the control commands| |/index.htmld?flag=[Encoded Data]|Sending the results of OS commands execution| |/index.htmld?flagpro=[Encoded Data]|Sending the authentication information| #### 3.1.6. Indicators of Compromise (IoCs) ⚫ URL path ⚫ index.htmld?flag=[Base64 Encoded String] ⚫ index.htmld?flagpro=[Base64 Encoded String] ⚫ File path ⚫ %TEMP%\~MY[Uppercase Hexadecimal Value (16bit)].tmp ⚫ %TEMP%\~MY[Uppercase Hexadecimal Value (16bit)].tmp.exe ⚫ Mutex ⚫ 71564__40Fllk293_DD71_4715_A3177782516DB5__71564_ ⚫ 71564__40Fllk293_DD71_4715_A55778278645__71564_ ⚫ 71564__40Fllk293_DD71_4715_A317try516DB5__71564_ **12** ----- ### 3.2. SelfMake Service SelfMake Service is a loader that loads and executes malware on the infected hosts. It is designed to run as Windows Service. Besides, according to the article [5], this loader executes SelfMake Loader described on the next section. Some samples of SelfMake Service not only load and execute malware, but also kill the legitimate splwow64.exe process and execute malicious splwow64.exe that has been overwritten with the malware on the infected host. The splwow64.exe is a file used by PrintSpooler, a Windows Service related to printing. **Figure 7. Execute malicious splwow64 overwritten with malware** **13** ----- ### 3.3. SelfMake Loader SelfMake Loader is malware that loads and execute other malware [1][3]. It has been reported that this malware executed Spider RAT. The name of SelfMake Loader is derived from the strings “selfmake2” or “selfmake3” in the malware samples. One of the features is that this malware uses MFC (Microsoft Foundation Class). **Figure 8. Code contains the string “selfmake2”** **Figure 9. Code contains the string “selfmake3”** SelfMake Loader can be divided into two types based on the method of loading malware. The first type is to load and execute malware located on the infected host. The loader searches the following directories in order and executes the first malware it found. ⚫ Directory where the SelfMake Loader is executed ⚫ C:\Program Files (x86)\Common Files **14** ----- The other type is to download the malware from a C&C server to the %TEMP%directory and execute the downloaded file. The file also includes an XOR encoded configuration. This configuration is a pipe-delimited format and contains domain and port number of the C&C server. The configuration format is similar to Bifrose malware which BlackTech uses. This pipe-delimited configuration is a common characteristic of BlackTech's malware. **Figure 10. Pipe-delimited configuration of SelfMake Loader** The following figure shows a file format that SelfMake Loader loads from the infected host. The file which is downloaded from the C&C server is in a similar format. The malware is XOR encoded and is decoded by a key contained in the file. **Figure 11. File format that SelfMake Loader loads from an infected host** **15** ----- In addition, based on the code similarities, we consider that the code of executing the decoded data is used the one published on GitHub [8]. SelfMake Loader calls the following function several times. The following function simply output a string using the printf function; that is to say, this is a dummy code. BlackTech tends to utilize malware that contain such dummy code. **Figure 12. Dummy code of SelfMake Loader** **16** ----- ### 3.4. HeavyROT Loader HeavyROT Loader is a loader that downloads malware from a C&C server and executes it. There is a sample of this loader which downloads malware from the same C&C server as SelfMake Loader and it would indicate the sample relates to BlackTech. We named this malware HeavyROT Loader since it uses bit rotation calculation for RC6 cryptographic algorithm or calculation of checksums, as will be described later. The malware communicates with C&C servers using HTTP, and Basic authentication is implemented to the servers. The malware communicates with the servers again with the flag enabled which ignores a certification error (ERROR_INTERNET_INVALID_CA) in case this error occurs in HTTPS communication. In addition, the malware gets the User Agent string from an infected machine’s registry in order to set the string to an HTTP header. **Figure 13. Process of communication with C&C servers** **17** ----- The downloaded data from C&C servers contains encrypted PE data as well as a seed for generating a decryption key. Furthermore, the malware calculates the checksum before and after decrypting PE data and it halts processing if the checksum does not match the downloaded data. **Figure 14. Downloaded data format** ``` def calc_checksum(data): rol = lambda val, r_bits, max_bits=32: ¥ (val << r_bits%max_bits) & (2**max_bits-1) | ¥ ((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits))) result = 0 for byte_val in data: result = rol(result,0xb) + byte_val return result ``` **Figure 15. Checksum calculation** **18** ----- The following figure shows how the malware generates a key for decryption from a seed. ``` def calc_key(seed): val1 = (seed&1)|(seed<<16)&0xFFFFFFFF val2 = (seed>>16)|(seed&0x00001000) return ((val1<<8)&0xFFFFFFFF) | ((val2)>>8)&0xFFFFFFFF) ``` **Figure 16. Process of generating decryption key from seed** It is notable that the malware extracts original PE file by using RC6 encryption (not decryption) routine after generating the key. Although there was no theoretical evidence, we confirmed that the data encrypted by RC6 decryption routine can be decrypted by RC6 encryption routine. We assume that the data downloaded from a C&C server contained the encrypted data by RC6 decryption routine, and the malware decrypted original PE file by RC6 encryption routine to the encrypted data. ``` class RC6Const: round = 16 blocksize = 64 def get_wordsize(): return RC6Const.blocksize // 2 def get_extend_s_len(): return 2 * RC6Const.round + 4 rol = lambda val, r_bits, max_bits=32: ¥ (val << r_bits%max_bits) & (2**max_bits-1) | ¥ ((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits))) def init_S(key): s_len=get_extend_s_len() w=get_wordsize() MOD = 2**w encoded = [key] ``` **19** ----- ``` S=s_len*[0] S[0]=0xB7E15163 for i in range(1,s_len): S[i]=S[i-1]+0x9E3779B9 S[i]=S[i]%MOD A=B=i=j=0 for _ in range(0,3*max(len(encoded),s_len)): A = S[i] = rol((S[i] + A + B)%MOD,3,w) B = encoded[j] = rol((encoded[j] + A + B)%MOD,(A+B)%w,w) i = (i + 1) % s_len j = (j + 1) % len(encoded) return S def rc6_encrypt(data,S): r=RC6Const.round w=get_wordsize() MOD = 2**w lgw = 5 A = int.from_bytes(data[0:4],'little') B = int.from_bytes(data[4:8],'little') C = int.from_bytes(data[8:12],'little') D = int.from_bytes(data[12:16],'little') B = (B + S[0])%MOD D = (D + S[1])%MOD for i in range(1,r+1): t = rol(((B*(2*B + 1))%MOD),lgw,w) u = rol(((D*(2*D + 1))%MOD),lgw,w) A = (rol(A^t,u%w,w) + S[2*i])%MOD C = (rol(C^u,t%w,w) + S[2*i+1])%MOD (A, B, C, D) = (B, C, D, A) A = (A + S[2 * r + 2])%MOD C = (C + S[2 * r + 3])%MOD ret = [A,B,C,D] return ret def main(): ## set appropriate parameters key = 0x68000010 ## set the key generated from seed in downloaded data. input_file = "encrypted.bin" ## set a inputdata filename. output_file = "decrypted.bin" ## set a outputdata filename. ## initialize S S = init_S(key) ``` **20** ----- ``` ## decrypt in_datas = open(input_file,"rb").read() i = 0 out_f = open(output_file,"wb") while i < len(in_datas): in_data = in_datas[i:i+16] decrypted = rc6_encrypt(in_data,S) for e in decrypted: bin = e.to_bytes(4, byteorder="little") out_f.write(bin) i=i+16 out_f.close() if __name__ == "__main__": main() ``` **Figure 17. Process of decrypting PE data** **21** ----- ### 3.5. AresPYDoor AresPYDoor is backdoor malware. It is said to be related to BlackTech, because the C&C server used by AresPYDoor has relation to it used by Bifrose, also BlackTech malware [17]. AresPYDoor is based on a Python RAT [9] released on Github under the name Ares and is converted to an executable file. AresPYDoor uses the URL format shown in Figure 18 to access the C&C server and receive commands. ``` (scheme)://(host)/api/(uid)/hello ``` **Figure 18. URL format to receive commands** The uid is generated by the code in Figure 19. ``` import uuid, getpass def get_UID(self): """ Returns a unique ID for the agent """ return getpass.getuser() + '_' + str(uuid.getnode()) ``` **Figure 19. The code generates uid** The implemented commands are shown in Table 2. **22** ----- |Table 2. AresPYDoor commands|Col2| |---|---| |Command Description|| |cd|Change the current directory| |upload|Upload| |download|Download| |persist|Establish persistence| |clean|Remove persistence| |exit|Terminate AresPYDoor process| |zip|Compress files or folders to a ZIP archive| |python|Execute Python codes| |help|View help| |(Others)|Execute Shell commands| One of the characteristics of AresPYDoor is its multi-platform support. There are several codes implemented to work on both Windows and Linux. As an example, Figure 20 shows some of the persistence codes. **Figure 20. Multi-platform persistence commands** **23** ----- ### 3.6. Spider RAT Spider RAT is a RAT [1][4] executed by LAMICE or SelfMake Loader. There are 32-bit and 64-bit samples. Although they have some similarities, these functions implemented in each sample are different. In this section, we will start with 32bit sample and continue with 64bit sample. #### 3.6.1. 32-bit 3.6.1.1. Configuration The configuration is encoded by XOR, and its format is shown below. ``` IP1|PORT1|IP2|PORT2|IP3|PORT3|PROXYNAME|PROXYUSERNAME|PROXYPASS| SLEEPTIME|UNKNOWN_COLUMN|PERSISTENCE ``` **Figure 21. Configration format** The observed sample had the following settings shown in Figure 22. **Figure 22. Spider RAT configuration** **24** ----- #### 3.6.1.2. Embedded DLL file We observed that there are two executable files (DLL files) embedded in the .data section, one of which will later be edited and dropped in the persistent phase. The behavior of these DLL files is to execute “C:\Windows\System32\calc.exe". Although there are two embedded DLL files, they have the same behavior. **Figure 23. DLL files embedded in Spider RAT** #### 3.6.1.3. Characteristic strings The characteristic strings, shown in Figure 24, can be seen in the debug output. Such strings are also seen in 64-bit samples. **Figure 24. The characteristic string in Spider RAT** **25** ----- #### 3.6.1.4. Persistent behavior Three persistent behaviors described below can be specified depending on the value of PERSISTENCE in the configuration. In this case, the sample was set not to run these persistent behaviors. ⚫ Using the Registry Run key ➢ Spider RAT copies itself to c:\users\public\downloads\schmet.exe. ➢ Spider RAT set the full path as the value of “Ofice” subkey in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key. **Figure 25. The persistence using the Run key** **26** ----- ⚫ Using DLL Search Order Hijacking in OneDrive ➢ Spider RAT copies itself to “C:\programdata\schost.exe”. ➢ Spider RAT replaces the string ”C:\Windows\System32\calc.exe” in the embedded DLL files of .data section with “C:\programdata\schost.exe”. ➢ Spider RAT writes its binary to c:\Users\USERNAME\AppData\Local\Microsoft\OneDrive\FileSyncFl wb.dll ➢ Spider RAT relaunches OneDrive with the following command “cmd /c taskkill /f /im onedrive.exe” ➢ The malicious FileSyncFlwb.dll will be loaded to execute “C:\programdata\schost.exe”, which is replaced to Spider RAT. **Figure 26. The persistence using DLL search order hijacking** **27** ----- ⚫ Using the Registry key HKCU\Environment\UserInitMprLogonScript ➢ Spider RAT copies itself to c:\users\public\downloads\mpetect.exe. ➢ Spider RAT set the full path as the value of HKCU\Environment\UserInitMprLogonScript key. ➢ When user logs into Windows, replaced malicious mpetect.exe will be executed. **Figure 27. The persistence using** **HKCU\Environment\UserInitMprLogonScript** **28** ----- #### 3.6.1.5. Control Commands Control commands implemented in Spider RAT 32-bit sample are shown in Table 3. The pair of offset values 0x4 and 0x8 in the received data determine each command. |Table 3. Control commands of 32-bit Spider RAT|Col2|Col3| |---|---|---| |Offset 0x4 Offset 0x8 Description||| |0|2|Reconnecting| |1|1|Launching PowerShell| |1|10|Terminating PowerShell| |1|11|Executing PowerShell Command| |1|2|Launching PowerShell| |1|20|Terminating PowerShell| |1|21|Executing PowerShell Command| |2|0|Terminating FileManager| |2|1|Launching FileManager| |2|6|Downloading file| |2|7|Uploading file| |2|8|Renaming file| |2|9|Sending list of files| |2|100|Deleting file| **29** ----- #### 3.6.2. 64-bit We also observed 64-bit samples, and their implementation is simple compared with 32-bit sample. The 64-bit samples use multi-threads approach for processing. However, we have confirmed that some threads have no processing content. We assume that some features will be implemented in the future. #### 3.6.2.1. Characteristics The configuration of 64-bit samples do not have specific structure like 32-bit one, but information such as C&C server is hard-coded. In addition, there are some characteristic strings that are also found in 32-bit in the debug output. **Figure 28. The characteristic strings in 64-bit sample** #### 3.6.2.2. Control Commands Control commands implemented in 64-bit Spider RAT are shown in Table 4. The pair of offset values 0x4 and 0x8 in the received data determine each command. |Table 4. Control commands of 64-bit Spider RAT|Col2|Col3| |---|---|---| |Offset 0x4 Offset 0x8 Description||| |1|1|Executing command| |3|0|-| |3|1|Downloading and Executing file| **30** ----- ### 3.7. BTSDoor BTSDoor is backdoor malware [6]. It has been observed that Flagpro downloaded and executed this backdoor. The name of BTSDoor is derived from the pdb pathname BTSWindows. **Figure 29. PDB path of BTSDoor** Before BTSDoor receives commands, it sends the following information about the infected host to the C&C server. The traffic is encrypted with AES. ⚫ IP address ⚫ Computer name ⚫ Username ⚫ Windows OS version ⚫ Process ID of BTSDoor **31** ----- BTSDoor implements the following commands. The traffic is encrypted with AES as is the case with sending information about the infected host. |Table 5. List of BTSDoor commands|Col2| |---|---| |Command ID Description|| |0x20|Upload a file| |0x22|Release the semaphore of the file upload thread| |0x30|Open the handle of file download| |0x31|Download a file| |0x33|Close the handle of file download| |0x39|Execute command through ShellExecuteW| |0x40|Return the string "Not implemented!"| |0x41|Return the string "N"| |0x50|Start a Command Prompt process| |0x51|Kill the Command Prompt process| |0x52|Send commands to the Command Prompt| |0x53|Release the semaphore of the Command Prompt thread| |0xA1|Terminate the BTSDoor process| **32** ----- ### 3.8. Gh0stTimes Gh0stTimes is customized based on the leaked Gh0st RAT source code and has been used in some attack cases since early 2020 [2]. #### 3.8.1. Feature Enhancement and Code Reuse Gh0stTimes adds the feature to communicate with the C&C server by implementing the new CPortmapManager and CUltraPortmapManager classes. In addition, Gh0stTimes implements features such as file operations (CFileManager class) and remote shell execution (CShellManager class) that are reused from Gh0stRAT. **Figure 30. Added the feature to communicate with the C&C server** **33** ----- #### 3.8.2. Dummy Code Insertion Gh0stTimes repeatedly inserts dummy code to make analysis difficult. BlackTech frequently uses this type of obfuscation technique. **Figure 31. Inserted dummy code** **34** ----- #### 3.8.3. Control Commands Gh0stTimes equips control commands for each function, such as file operation and remote shell execution [2]. Additionally, this malware supports some specific commands for file operations. |Table 6. Control commands of Gh0stTimes|Col2| |---|---| |Command ID Description|| |0x0|Communication termination| |0x1|File operation (CFileManager)| |0x28|Remote shell execution (CShellManager)| |0x32|C&C server redirect function (CPortmapManager)| |0x3F|Proxy function (CUltraPortmapManager)| |Table 7. File operation commands|Col2| |---|---| |Command ID Description|| |0x2|Retrieve a file list (SendFilesList)| |0x3|Upload a file (UploadToRemote)| |0x4|Download a file (CreateLocalRecvFile)| |0x5|Download a file (WriteLocalRecvFile)| |0x7|Upload a file (SendFileData)| |0x8|Stop file transfer (StopTransfer)| |0x9|Delete a file (DeleteFile)| |0xA|Delete a folder| |0xB|Set transfer mode (SetTransferMode)| |0xC|Create a folder (CreateFolder)| |0xD|Rename a file (Rename)| |0xE|Execute a file (OpenFile (SW_SHOW))| |0xF|Execute a file (OpenFile (SW_HIDE))| **35** ----- #### 3.8.4. C&C Communication Gh0stTimes uses a proprietary TCP protocol to communicate with the C&C server. At the beginning of its communication to the C&C server, Gh0stTimes sends an authentication ID and data for generating encryption key. If the authentication ID is not correct, authentication fails. The encryption key is generated by processing the data sent from the victim host, which is provided at the beginning of the communication. Afterward, Gh0stTimes sends/receives control commands that are encrypted with custom RC4 algorithm (RC4 + XOR 0xAC) and compressed with zlib. **36** ----- ### 3.9. TSCookie TSCookie is a downloader that downloads TSCookie Loader and TSCookie RAT [11]. The downloaded files are encoded. Therefore, TSCookie decodes them after loading them on memory, then it executes them. It exists two versions of TSCookie, Windows and ELF binary version. This section describes a Windows version, and the next section explains an ELF binary version. The behaviors of TSCookie Loader and TSCookie RAT can be checked in JPCERT/CC blog posts [10][11]. #### 3.9.1. Decrypting DLL Executing TSCookie leads to load RC4-encrypted data on memory. The data exists in the resource section of TSCookie. Afterwards, it will be decrypted as a DLL file. The decrypted DLL contains dummy codes like other BlackTech’s malware. **Figure 32. Inserted dummy code** **37** ----- After executing the decrypted DLL, it will connect to a C&C server. The configuration, which includes destinations of C&C server, is hard-coded in the sample, and its structure is almost the same as the samples reported by JPCERT/CC [11]. #### 3.9.2. Downloading Loader TSCookie connects to the C&C server using HTTP GET method to download a TSCookie Loader. When TSCookie downloads TSCookie Loader, it will send RC4 encrypted data to the C&C server. JPCERT/CC reported that their samples inserted the encrypted data into the Cookie header [11]. Whereas, our sample inserted the data into the URL path. **Figure 33. GET request to download the loader** URL path is replaced by swprintf() based on format string. TSCookie splits the encrypted data into two parts, and the split position is decided by random number. The URL path of HTTP GET request is as follows: **Description** |Description|Col2| |---|---| |①, ②|Randomized 32bit integer| |③, ⑤|Randomized lowercase alphabets| |④|Former part of encrypted data| |⑥|Latter part of encrypted data| **Figure 34. URL path format** **38** ----- The structure of the original data, which means the sending data before encryption, has been changed since the existing report from JPCERT/CC [11] as follows: **Table 8. Structure of sending data before encryption by GET request** **Offset** **Length Contents** **0x00** 4 Four bytes hex value created from system information **0x04** 4 0x10050017 **0x08** 4 0x1E9CE6A **0x0C** 4 0x04 **0x10** 4 Four bytes hex value created from system information This download activity will not execute if the first four bytes of the response data do not match to the hard-coded value in the sample. |Offset Length Contents|Col2|Col3| |---|---|---| |0x00|4|Four bytes hex value created from system information| |0x04|4|0x10050017| |0x08|4|0x1E9CE6A| |0x0C|4|0x04| |0x10|4|Four bytes hex value created from system information| **39** ----- #### 3.9.3. Downloading modules After downloading TSCookie Loader, TSCookie downloads its modules. HTTP POST method is used for downloading the modules. TSCookie inserts the RC4 encrypted data into the BODY part. The Date header value is used as the RC4 key. **Figure 35. POST request to download the modules** This POST request also works as heartbeat and is sent around every 50 seconds. However, if the first four bytes of the response does not match to the hard-coded value in the sample, the POST request will not be sent from the next request. **40** ----- ### 3.10. ELF_TSCookie This section explains ELF version of TSCookie (ELF_TSCookie) [14]. ELF_TSCookie contains same functions as Windows version. However, the functions are limited. The samples, which we found, target not only Linux environment users, but also FreeBSD ones. We assume that the attacker uses the different version of TSCookie depending on the target's environment. The command values of our samples have changed from the values reported by JPCERT/CC [12]. This JPCERT/CC report provides the detailed analysis result of the past samples. #### 3.10.1. Characteristics The results of “file” and “readelf” commands are as follows: **Figure 36. File information of ELF_TSCookie** The “file” command result shows that it is static-linked file, and the “readelf” command result indicates that this malware could be compiled in old development environment. It seems that attackers would like to evade environmental problems. **41** ----- As JPCERT/CC has already reported [12] that information about C&C servers is inserted as plain text. ELF_TSCookie copies the information onto allocated memory space and encrypts it with RC4. The encrypted information will be used in later process. **Figure 37. Inserted plain-text information** ELF_TSCookie sends the host information to the C&C servers. The information contains TSCookie PID, IP address, hostname, and login username. The code to obtain the host information is shown in Figure 38. It may be intended to get the result of “uname” command, but it has a wrong option “ a00”. Hence the command will be failed, and the result will not be sent. **Figure 38. Collecting infected host information** **42** ----- #### 3.10.2. Control Commands ELF_TScookie commands are listed in Table 9. No major changes of the commands have been observed since JPCERT/CC had published its analysis result [12]. |Table 9. ELF_TSCookie command list|Col2| |---|---| |Command Description|| |0x7200AC03|Launch remote shell| |0x7200AC04|Send commands to remote shell| |0x7200AC05|Terminate remote shell| |0x7200AC07|-| |0x7200AC0B|Send fixed number| |0x7200AC0C|Send file list| |0x7200AC0D|Download file| |0x7200AC0E|Upload file| |0x7200AC10|-| |0x7200AC11|Terminate process| |0x7200AC13|Remove file (rm -rf)| |0x7200AC16|Move file/Change file name| |0x7200AC1A|Execute command| **43** ----- ### 3.11. IamDown IamDown is a malware that downloads and executes another malware. It has been used since at least 2014. We call this malware “IamDown” because the string “i am mutex!” is inserted into this malware and this is a downloader malware. **Figure 39. Inserted string “i am mutex!”** IamDown, which has been found, has some common characteristics. We will explain those characteristics from next section. #### 3.11.1. Hard-coded characteristic strings The hard-coded strings such as “i am mutex!”, the C&C server domains, and a Mutex value are embedded in IamDown. We assume that this malware has some relationships between Poison Ivy, because the Mutex value of IamDown ”)!VoqA” is same as the head of the default Mutex value of Poison Ivy ”)!VoqA.I4” [13]. **44** ----- #### 3.11.2. Sending data IamDown uses Socket for communicating with the C&C server with TCP/443 port. The first 16 bytes data is the fixed value. **Figure 40. Packet capture of the sending data** #### 3.11.3. Receiving data IamDown sequentially checks the received data from head. If the data matches the condition, Socket will close, and if not, the data procedure will continue as shown in Figure 41. **45** ----- **Figure 41. Checking received data** #### 3.11.4. On-memory execution (Fileless) IamDown executes the downloaded data on a new thread in the same process. This means that the data is not stored as a file on the infected host. **46** ----- **Figure 42. Executing downloaded data on memory** **47** ----- #### 3.11.5. API Hash APIs such as CreatMutexA and Socket related ones are obfuscated using Hash value. **Figure 43. Using API hash** **48** ----- ### 3.12. ELF_Bifrose We will explain about ELF version of Bifrose (ELF_Bifrose). Our sample does not exist big differences from the past reported samples [14]. #### 3.12.1. Characteristics The results of “file” and “readelf” commands is shown in Figure 44. The samples were compiled in an old environment and statically linked. It seems that attackers would like to evade environmental problems. **Figure 44. File information of ELF_Bifrose** **49** ----- #### 3.12.2. Sending data ELF_Bifrose encrypts and sends the following data at the first communication to the C&C server: ⚫ IP address ⚫ Hostname ⚫ PID **Figure 45. Sending data to C&C server of ELF_Bifrose** As JPCERT/CC reported [15], ELF_Bifrose leverages RC4 encryption. Some minor differences in the encryption handling exist depending on the samples. **50** ----- **Figure 46. RC4 encryption handling** An example of the first sending data is shown in Figure 47. ELF_Bifrose communicates with port 80,443, and 8080, but it uses Socket connection rather than the HTTP(S) protocol. **51** ----- **Figure 47. Example of sending data to C&C server** #### 3.12.3. Control Commands After sending the data, ELF_Bifrose receives commands from the C&C server. The implemented commands are in Table 10. The commands have not been changed significantly from the existing samples [14]. |Table 10. ELF Bifrose command list|Col2| |---|---| |Command Description|| |0x15|Send randomized data| |0xC6|Terminate process| |0xF7|Send command to remote shell| |0xF8|Terminate remote shell| |0xF6|Launch remote shell| |0x82|Send fixed value| |0x83|Send file list| |0x84|Send file attribution| |0x85|Download file| |0x86|Upload file| |0x87|Close file| |0x89|Create directory| |0x8A|Delete file| |0x8B|Delete directory| **52** ----- ### 3.13. ELF_PLEAD We will explain about ELF version of PLEAD (ELF_PLEAD). JPCERT/CC reported the detailed analysis result about the existing samples [16]. However, we will show the analysis result of newly observed samples in this report. #### 3.13.1. Characteristics The results of “file” and “readelf” command are shown in Figure 48. The samples were compiled in an old environment and statically linked. It seems that attackers would like to evade environmental problems. **Figure 48. File information of ELF_PLEAD** #### 3.13.2. Configuration ELF_PLEAD encrypts configuration with RC4 as existing samples does. Figure 49 shows an example of the decrypted configuration. The first 32 bytes data in the Figure 49 is the RC4 key, and after the key follows the configuration. The configuration size is 0x1AA. As the following configuration indicates that a private IP address is set as the destination. In addition, the uncommon destination port 29678 is configured. From these settings, we assume that this configuration was adapted to the targeted company that had already been intruded. **53** ----- **Figure 49. Decoded configuration of ELF_PLEAD** #### 3.13.3. Control Commands The implemented commands are as follows: |Table 11. Group number 0 command list|Col2| |---|---| |Command Description|| |4|Send randomized data| |5|Reconnect| |6|Restart| |7|Terminate| |8|Terminate| |9|Change Socket| |10|Change connection destination| **54** ----- **Table 12. Group number 1 (CFileManager) command list** **Command** **Description** **0** Send file list **5** Send file attribution **7** Change file name **9** Delete file/directory **11** Upload file **13** Execute file **17** Create directory **19** Move file **21** Delete directory **Table 13. Group number 2 (CFileTransfer) command list** **Command** **Description** **0** Send file attribution **3** Create directory **6** Download file **7** Send file information **11** Upload file **Table 14. Group number 3 (CRemoteShell) command list** |Command Description|Col2| |---|---| |0|Send file list| |5|Send file attribution| |7|Change file name| |9|Delete file/directory| |11|Upload file| |13|Execute file| |17|Create directory| |19|Move file| |21|Delete directory| |Command Description|Col2| |---|---| |0|Send file attribution| |3|Create directory| |6|Download file| |7|Send file information| |11|Upload file| |Command Description|Col2| |---|---| |0|Launch remote shell| |2|Launch remote shell| |5|Change current directory| |7|Terminate remote shell| |9|Send file list| |12|Delete directory| **55** ----- **Table 15. Group number 4 (CPortForwardManager) command list** |Command Description|Col2| |---|---| |2|Setup proxy| |4|-| |6|Send proxy data| |8|-| |10|Connect proxy| |12|Terminate proxy| **56** ----- ## 4. Countermeasures BlackTech has two main attack vectors. The first is an attack method originates from spear phishing emails. The second is an attack method exploits server vulnerabilities. The best way to defend against spear phishing emails is to avoid opening suspicious emails, links or files. BlackTech attacks with emails and attachments that are spoofed as if they were clients of the target. It is possible to prevent the attack by carefully checking the sender email address, the text of emails, and the double extensions of attachments. In addition, the installation of email security products is also an effective measure. Our SOC has observed that these products have detected spear phishing emails by BlackTech. To defend against exploitation of server vulnerabilities, we recommend that applying the latest update programs or the latest security patches. Furthermore, the installation and the properly operation of network security products and endpoint security products are also effective measure. Even if your organization were initially accessed by such threat actor, these products will detect later behaviors. Our SOC has created custom signatures to detect such behaviors, and in some cases, we have been able to minimize the damage by detecting and quarantining them. Although BlackTech is actively developing new malware, its attack techniques have not changed much. Thus, it is important to build detection logics against them. In both attack vectors as we mentioned, BlackTech targets vulnerable areas of the target organization. In particular, overseas offices tend to be attacked by BlackTech. Even if your organization’s critical infrastructure is managed in a closed network, BlackTech will examine all possible paths to penetrate it, identify where are vulnerable areas, and attempt to compromise them. Hence, proper management of your organization’s systems is important. Furthermore, BlackTech is known to repeatedly attack against the same **57** ----- targeted organization. Even if BlackTech intruded once, or even if intrusions were prevented, your organization’s systems still have risk to be attacked over and over. We recommend keeping up with the latest attack trends and taking measures properly and quickly. **58** ----- ## 5. Postface NTT Security Holdings Corporation Japan Security Operation Center has conducted research activities for the prevention of security incidents and early detection when they occur. In particular, we have actively investigated and analyzed on targeted attacks for clue to consider countermeasures against further sophisticated attack. In this report, we provided a walkthrough of BlackTech’s activities based on the cases we observed in 2021. BlackTech has extremely actively attacked against Japanese organizations repeatedly, and it can be continued. Our SOC will continue to research BlackTech. IoCs are listed in the Appendix. We hope you will find it useful. **59** ----- ## 6. About Report Authors: NTT Security Holdings Corporation Japan SOC Shogo Hayashi, Fumio Ozawa, Hajime Takai, Nobuyuki Amakasu, Rintaro Koike, Ryuichi Tanabe, Yuta Sawabe, Sachito Hirao Translators: NTT Security Holdings Corporation Japan SOC Ryu Hiyoshi, Hisayo Enomoto, Mikuru Bansho, Naoki Kubota, Ryuichi Tanabe Release: April 20[th], 2022 (Ver1.0) : Original Japanese version released April 27[th], 2022 (Ver1.1) September 26[th], 2022 : English version released **60** ----- ## 7. References [1] TrendMicro, "Ambiguously Black: The Current State of Earth Hundun's Arsenal", https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdf [2] JPCERT/CC, "Malware Gh0stTimes Used by BlackTech “, https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html [3] SEQRITE, "Everything you need to know about the Microsoft Exchange Server Zero-Day Vulnerabilities", https://www.seqrite.com/blog/4898-2/ [4] Deep Learning for Cybersecurity, "Blue Hexagon Security Advisory: Microsoft Exchange Server 0-days", https://medium.com/deep-learning-for cybersecurity/blue-hexagon-security-advisory-microsoft-exchange-server-0 days-83f49d528d34 [5] FREEBUF, "利用Exchange 漏洞入侵安插后门,小心数据泄露", https://www.freebuf.com/articles/system/303176.html [6] PwC, "Back to Black(Tech): an analysis of recent BlackTech operations and an open directory full of exploits", https://vblocalhost.com/uploads/VB2021-50.pdf [7] NTT Security Holdings, " Flagpro: The new malware used by BlackTech ", https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware used-by-blacktech [8] GitHub, "abhisek/Pe-Loader-Sample", https://github.com/abhisek/Pe Loader-Sample [9] GitHub, "sweetsiftware/Ares", https://github.com/sweetsoftware/Ares [10] JPCERT/CC, "Malware Used by BlackTech after Network Intrusion", https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html [11] JPCERT/CC, "Malware “TSCookie”", https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html [12] JPCERT/CC, "ELF_TSCookie - Linux Malware Used by BlackTech", https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html **61** ----- [13] Volatility Labs, "Reverse Engineering Poison Ivy's Injected Code Fragments", https://volatility-labs.blogspot.com/2012/10/reverse-engineering-poison ivys.html [14] マクニカネットワークス, "標的型攻撃の実態と対策アプローチ 第4 版 日本を 狙うサイバーエスピオナージの動向2019 年度下期", https://www.macnica.co.jp/business/security/manufacturers/files/mpressionc ss_ta_report_2019_4.pdf [15] TeamT5, "中國駭客 HUAPI 的惡意後門程式 BiFrost 分析", https://teamt5.org/tw/posts/technical-analysis-on-backdoor-bifrost-of-the Chinese-apt-group-huapi/ [16] JPCERT/CC, "ELF_PLEAD - Linux Malware Used by BlackTech", https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html [17] ThreatBook, "东亚黑客组织 BlackTech 针对金融、教育等行业展开攻击", http://report.threatbook.cn/BL.pdf **62** ----- ## 8. Appendix IOCs of malware associated with BlackTech are as follows. ###### Malware Samples |Malware Samples|Col2| |---|---| |Hash value (SHA256)|Description| |e81255ff6e0ed937603748c1442ce9d6588decf6922 537037cf3f1a7369a8876|Flagpro| |77680fb906476f0d84e15d5032f09108fdef8933bca d0b941c9f375fedd0b2c9|Flagpro| |655ca39beb2413803af099879401e6d634942a169d2 f57eb30f96154a78b2ad5|Flagpro| |e197c583f57e6c560b576278233e3ab050e38aa9424 a5d95b172de66f9cfe970|Flagpro| |935e61aba8df5f6e80e001af0fa9c6a50c2cf50f406 8e9dd4277f2cd1297d95c|SelfMake Loader| |2657ca121a3df198635fcc53efb573eb069ff2535dc f3ba899f68430caa2ffce|SelfMake Loader| |7da969010a55919aa66ed97a2d2d6d6a0be3d8dc615 1eeb6cebc15e4f06d4553|SelfMake Loader| |5a57c9d19c7fb42832085f88d92f9f57d64b1bca8f2 a19b0533a4caee1a792cc|SelfMake Loader| |3891fb7b3d1e5fc2d028ed3d0debe868189971b20eb 8edb295e2b8d2d0c1a02a|SelfMake Loader| |8bdfc1ed5bfec964050a42a0f1ddd8709fcf14fab1e de151c5a7161be904cd96|SelfMake Loader| |92c75df382218e7743359aa83b403e443550e766c84 74a59c9dcbd4903a4bf02|SelfMake Loader| |c2b23689ca1c57f7b7b0c2fd95bfef326d6a22c1508 9d35d31119b104978038b|Spider RAT| |8c3df0e4d7ff0578d143785342a8033fb6e76ce9f61 c2ea14c402f45a76ab118|Spider RAT| |dced553a6f835162f0515a41a330404466f3ca44bc4 3a2f8b5675ca28609c905|Spider RAT| |d196969b35966462fa03ef857e375e9d6172b34053b 115df04cefa3d673b9d85|Spider RAT| |ee6ed35568c43fbb5fd510bc863742216bba54146c6 ab5f17d9bfd6eacd0f796|BTSDoor| |85fa7670bb2f4ef3ca688d09edfa6060673926edb3d 2d21dff86c664823dd609|BTSDoor| |01581f0b1818db4f2cdd9542fd8d663896dc043efb6 a80a92aadfac59ddb7684|Gh0stTimes| **63** ----- |13c19132f7c0c2c02f4070eca9367bdf8ab2bf59c59 93c6e853584ac215857c7|TSCookie| |---|---| |638cfbe609d7f3e88767133be5ea5f9a75f1d703275 f38eb9ec2414e179483b9|ELF_TSCookie| |0e0198d3409e8dccf2ba1eeed41f56e24b633188230 ed062a43fac0517e8da8f|ELF_TSCookie| |3802fe08235724a1c8f68563aa1166e509aeb27c59c 008dccace5e2513b03375|ELF_TSCookie| |994b294eac5d099392621e6c813694bc254a7d77471 7709ee3b67211df10d963|IamDown| |42416e73ebc0b776c726e6075fa73bb418f24b53b0b 2086141a2aba22301ec6a|IamDown| |d8500672e293ef4918ff77708c5b82cf34d40c440d5 a4b957a5dbd3f3420fdc4|IamDown| |0a06d4dc8d5be03cc932b74758f0004aeaa6cdf1480 6635b9452b5c4db900184|IamDown| |a914c729e4816fb49c8b9830694be385460c2cc366b f1ab1410e84295cfa0946|ELF_Bifrose| |0478fe3022b095927aa630ae9a00447eb024eb862db fce3eaa3ca6339afec9c1|ELF_Bifrose| |4549745d0bbc9b4c16c815927e7720258cd64bb3dcc 76e6f850c845d603cca13|SelfMake Service| |a394250a66dede23931b9bb5d5aced5d32ab171b1f2 8382305d9c942859ef5d1|SelfMake Service| |4dc515a288be6e64b006fe418c5477bd0982ce801e8 29d8299ee0eb949b20dc2|SelfMake Service| |f32318060b58ea8cd458358b4bae1f82e073d1567b9 a29e98eb887860cec563c|HeavyROT Loader| |4991c98c55bfa0b269b05b8e2f0944edb85ddc1d2ba 4dffe0cbf9a7b89a98911|HeavyROT Loader| |76bf5520c19d469ae7fdc723102d140a375bb32f64b 0065470238e6c29ac2518|AresPYDOOR| |e4d837dc1a700bf71b218e41ed50abdbb2ba0352394 504a0cdaa12948d3daf2f|ELF_PLEAD| **64** -----