[About TrendLabs Security Intelligence Blog](http://blog.trendmicro.com/trendlabs-security-intelligence/about-us/) Search: Go to… [Home](http://blog.trendmicro.com/trendlabs-security-intelligence/) Categories [Home » Malware » BLACKGEAR Espionage Campaign Evolves, Adds Japan To Target List](http://blog.trendmicro.com/trendlabs-security-intelligence/) # BLACKGEAR Espionage Campaign Evolves, Adds Japan To Target List [Posted on:October 27, 2016 at 1:00 am](http://blog.trendmicro.com/trendlabs-security-intelligence/2016/10/) [Posted in:Malware,](http://blog.trendmicro.com/trendlabs-security-intelligence/category/malware/) [Targeted Attacks](http://blog.trendmicro.com/trendlabs-security-intelligence/category/targeted_attacks/) Author: [Trend Micro](http://blog.trendmicro.com/trendlabs-security-intelligence/author/trend-micro/) 0  27   95   **By Joey Chen and MingYen Hsieh** BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years. Multiple papers and talks have been released covering this campaign, which used the ELIRKS backdoor when it was first discovered in 2012. It is known for using blogs and microblogging services to hide the location of its actual command-and-control (C&C) servers. This allows an attacker to change the C&C server used quickly by changing the information in these posts. ----- g g p g, that are used as part of its infection routines are now in Japanese. Secondly, it is now using blogging sites and microblogging services based in Japan for its C&C activity. This post will discuss this C&C routine, the tools used in these attacks, and the connections between these tools. **C&C configuration retrieval** Figure 1. Overview of C&C configuration retrieval method Backdoors used by BLACKGEAR share a common characteristic: they all retrieve encrypted C&C configuration information from blogs or microblogs. An attacker would register an account on these services and then create posts. The encrypted C&C information would be between two hardcoded tags, as seen below: Figure 2. Encrypted configuration information between tags There are two reasons BLACKGEAR would use this technique. First, the beacon traffic of the backdoor would look like normal traffic to blogs. Secondly, the threat actor would be able to quickly change the C&C servers used if these were blocked. A defender would be unable to block this change in server from reaching any affected machines unless the legitimate site was blocked as well. ----- Figure 3. Tools used by BLACKGEAR campaign The malware tools used by BLACKGEAR can be categorized into three categories: binders, downloaders and backdoors. Binders are delivered by attack vectors (such as phishing and watering hole attacks) onto a machine. These, in turn, drop decoys and downloaders. The latter connect to various sites under the control of the attacker and downloads backdoors. These use persistent methods to ensure that they remain present on the affected machines to give attackers access to the machine in question. By separating the attack tools into three stages, threat actors are able to adapt quickly. If one component is detected and/or blocked, it can be replaced without disrupting the entire toolset. **Binder** The binder (which we detect as the TROJ_BLAGFLDR family) hides as a normal folder by changing its icon to a folder icon. Once the victim executes it, it executes the downloader in the background, drops a decoy folder that includes fake documents, then delete itself. This is so the victim won’t notice that the malicious downloader has been executed. **Downloader** TSPY_RAMNY TSPY_RAMNY is a downloader dropped by TROJ_BLAGFLDR malware. To remain persistent, it moves itself to the Windows temp folder and drops a *.lnk (Windows Shortcut) file in the startup folder that points to itself. It also sends information about the compromised host (such as network settings) back to the download site. The download link is formatted in the following format: http://{IP address}/{folder name}/{webpage name} (Example: http://{IP address}/multi/index.html) This is done so that if someone looks solely at the URL, the download of the backdoor will appear to be an ordinary website. TSPY_YMALRMINI TSPY_YMALRMINI is another downloader that is dropped by TROJ_BLAGFLDR malware, which also sends information about compromised hosts back to the download site We were unable ----- y, g p TSPY_YMALRMINI uses the same URL format as RAMNY. TSPY_YMALRMINI has the same download link pattern as TSPY_RAMNY. The family name for this malware is because some variants have the PDB string “C:\toolson-mini\YmailerCreater – Debug\Binder\Binder\YMailer.pdb”. In addition, these variants also create a log file named YmailerMini.log. **Backdoors** BKDR_ELIRKS BKDR_ELIRKS was the first family of backdoors tied to BLACKGEAR. It retrieves encrypted C&C configuration information from various blogging or microblogging services. Once decoded, it connects to these C&C servers and waits for commands given by a threat actor. To remain persistent, it moves itself to the Windows temp folder and drops a *.lnk (Windows Shortcut) file in the startup folder that points to itself. Its backdoor routines include getting information from the compromised host, downloading and running files, taking screenshots, and opening a remote shell. BKDR_YMALR BKDR_YMALR is a backdoor written using the .NET framework which is also known as LOGEDRUT. The detection name comes from a log file created by this malware family named YMailer.log. Its behavior is similar to ELIRKS – both in terms of C&C information retrieval and available commands to a threat actor. **Encryption and Decryption** BKDR_ELIRKS Reverse analysis of ELIRKS allowed us to determine how to decrypt the C&C information, which is done in the following Python code: #! /usr/bin/env python from ctypes import * def decipher(v, k): y=c_uint32(v[0]) z=c_uint32(v[1]) sum=c_uint32(0xC6EF3720) delta=c_uint32(0x61C88647) n=32 w=[0,0] while(n>0): z.value -= (y.value + sum.value) ^ (y.value * 16 + k[2]) ^ (( y.value >> 5 ) + k[3]) y.value -= (z.value + sum.value) ^ (z.value * 16 + k[0]) ^ (( z.value >> 5 ) + k[1]) sum.value += delta.value n -= 1 w[0]=y.value w[1]=z.value return w if __name__ == '__main__': key = [0x8F3B39F1, 0x8D3FBD96, 0x473EAA92, 0x502E41D2] ciphertext = [ciphertext1, ciphertext2] # you can input cipher text here res = decipher(ciphertext, key) plaintext = "%X" % (res[0]) c4 = str(int("0x"+plaintext[6:8],16)) c3 = str(int("0x"+plaintext[4:6],16)) c2 = str(int("0x"+plaintext[2:4],16)) c1 = str(int("0x"+plaintext[:2] 16)) ----- y blog/microblog posts are downloaded, the malware finds and decrypts the C&C information. The C&C information is stored in the post in two short bits of text. The first is an eight-character string that is decoded into a six-byte hexadecimal value. The second is a two-character string which is already in a hexadecimal format, and is concatenated towards the end. A modified version of the [TEA algorithm decrypts these into the C&C server locations.](https://web.archive.org/web/20070127094759/http://www-users.cs.york.ac.uk/~matthew/TEA/) Figure 4. BKDR_ELIRKS decryption algorithm BKDR_YMALR BKDR_YMALR implements the same behavior in a slightly different manner. It contains several encrypted strings: Figure 5. Encrypted strings in BKDR_YMALR These encrypted strings are the result of the blog URLs and tags being first encoded with Base64, and then encrypted with DES. The encryption key and initialization vector are hardcoded, with both set to 1q2w3e4r. (Note how these are positioned on a normal keyboard.) Figure 6. Blog URL and tags in BKDR_YMALR ----- Figure 7. BKDR_YMALR decryption algorithm Once these have been decoded, BKDR_YMALR uses the same algorithm as ELIRKS to obtain the C&C information. Figure 8. BKDR_YMALR configuration from the blog post blog **Connections between tools** ----- Figure 9. Connections between tools More than just tools being used together, it appears that there are distinct connections between the different tools used by BLACKGEAR. The string “YMailer” shows up in the filenames of log files used by both BKDR_YMALR and TSPY_YMALRMINI, and it is in the PDB strings of the latter. The two downloaders TSPY_RLMNY and TSPY_YMALRMINI both use the string toolson in different places. Lastly, both downloaders and one backdoor share the same decryption key 1q2w3e4r. The above illustration shows the connections between the families. **Conclusion** Malware threats need to evolve or otherwise become non-threats. Similarly, to stay relevant, BLACKGEAR has evolved with both new tools and new targets, and will continue to be a threat for the foreseeable future. We will continue to monitor its activities in order to protect our customers. **Indicators of Compromise (IOCs)** TROJ_BLAGFLDR 52d6b30bc578465d8079d9abd0d4c4826b51b25f 800c7d54280f5f35e3b58a6d4dfd4845f6ed9e15 8b6614562a79a13e60d100a88f1ba4eb601636db 98efee8dde7d493c0d35d02a2170b6d1b52987d3 TSPY_RAMNY 02785ebcb683a380c80958f3fe2a52f805c5c12d 74031e70ca3b4004c6b7a8197397882bc02c30cb b4c63a0ff9b8eb8cc1a53a4dd036e93f9eeceeca TSPY_YMALRMINI 048790098a7c6b8405761b75ef2a2fd8bd0560b6 96f3b52460205f6ecc6b6d1a73f8db13c6634afc ----- 4f54cfcf266b73ca3759b9cb0252c27094b5b330 521a9d73191c7740f969ae3c53e6abf70ffbedf9 533565f7953fb1648d437d14d007003c6343b9ae 80108d2aacb0a1f2a5350f71e7a04239fc5f96a9 8cad1bcbdd558802b34119fb57160cc748170133 9a768fae41ca7395b4257e85acef915e124c2981 a70001c67e81d1dcf62f808760514b6df28a411a a9ea07caafeb63133e5131f7a56bc8da1bc3d72a dd0ceafbe7f4bf2905e560c3348545e32bc0f684 BKDR_YMALR 02fed8cae7f3986c1344dd75d869ba23cfc4073a 09d73b522f36786bb6e645b96f244bb51c3cc7ea 0a59d52367435bc22a92c27d60023acec575a5fb 0cc74332b1e213456693159d3ba12a3421036f68 1120f049dcb4a62809687dc277b42589d8d1caa6 12c8cc7e125572d614b708c056f7fd0ed49870c5 29b08d270ba6efcf57ca2ad33d8e3edd93d6b32a 2d3d7b9521aec637f2e99624e0489b9f140d463f 2de7d78615ec0fbf2652790d53b50ddb0472292c 31de946255b240c0ae2f56786ac25183f3aaeea5 3aa8509715c7f55bdee831d5f7db22a2c516db43 3d175b1defe7076e0fe56076dd0d5f438de43324 4000244b2cba78a45034bb6ab2bac46d6a8a79ea 4882735e8a465fac938fd04546a51efefb9806da 48d373bdb31dcecd7f59bd5a964d062c8b6bfce8 49f6eb7f8e4a27f574c9a3e8c0da0b7895df7e41 4c7df09012fc88d336467691acf0afce64f40341 551f9a60203bec904487113e8d42dea463ac6ca9 5a4b15fa5a615a93191ede4c75dd3e65e87586dc 5aa5117db6f420c81d2e1a7f036963a3c6ef02e9 5dc007d056513cba030ec16e15bdbb9ea5fe0e5a 628309a60ad1fbe240486519de1424f7ddc2df4d 636e7a9effb1a244697c880832e486de56260527 6bb5f51d03edd1acd7d38cca8095a237543c6a0d 6c4786b792f13643d408199e1b5d43f6473f5eea 6dd997409afec6fafbe54bd9d70d45fffff6a807 7142ca7079da17fa9871cbc86f7633b3253aeaed 7254b719fd3cf87c8ac8ed9327c8e1bf99abf7af 7329a789363f890c401c286dbaf3d2bf79ee14f7 7b2c4d14710cf2fd53486399ecc5af85cd75eca6 88e22933b76273793e4278c433562fb0b4fe125a 8917c582ab5c2e831de6eba33b4f19d6e3a2cb70 8c325e92bf21d0c3737dbbc596854bc12184eeaf 8f65cbde2f3b664bcede3822a19765bdb7f58099 9047b6b2e8fbaa8a06b2faaa30e038058444106a 93c3f23905599df78cd5416dd9f7c171b3f1e29e 94750bdae0fa190116a68e96d45f3d46c24b6cf1 9954a1c8e7b0e2f17841608f6b8c9d042b7a0780 9b96646d152583ff58c2c29191cb1672847d56b6 9f5a3b6db752d617f4d278d6531e2bbdb7faa977 a30cc98ceb5d3379e80443f68a186326926f73ce a893896af5468ac6e04cdd13edff8cae04800848 a8f461749c7fe2a21116b8390cf84a8300009321 a9108bf3ce39cea40e46ac575247a9a7c077b2a8 a9fd9ade807af4779f3eea39fed2c583a50c8497 ac014e4c2d68f6c982ac58738857b698b9e46af5 acaec2b0f86ec4262be5bb8bcebcc12093e071ba ad61c51b03022ef6bcb5e9738fe2f621e970ecb3 b28f6ba3d6571c5d85cb5276cbcdce9adf49d5a9 bc61f1b3c8eb3bda2071f6caf71ff23705128ca5 c30b305a7bea9a2f61aca2dbcf596c2b0c0e4fa0 c4c747f26f95fdbfc5bff04688dc76ae0bb48fff ----- cf629249fb4af86746059e638ccef5b8a43c6834 cfd9a67b4b0eb3d756bb7e449b46687e6aef006b d107268bd767a2dfe1c8733b7da96c1a64f5d112 d7cd079f8485ea55443ed497f055dbed5ae4a668 d95c97f1525e9888571f498f2be584dda243da2a e01f9ba6355bcdc7ccf89261658bff9f965b8c21 e05efde2b442dc4119179e3c39c74a973499e271 e1acfed710f186d86a2bc8179ff38fdd21f9a1b6 e1fb2e1866f332a5656bf55fde13ff57d5f0bbf6 e77303d80968395eec008515ea9eb3c620b14255 eb9e553524d414d862857297baf44da3b4072650 eca06f3c535ba3b3463917974a79efc821fddb6c eeb065a1963a8aa0496e61305c076c5946d77e12 efa611262e6d4804ce9026d50bfa64f20d9271ca fb59481d153388d2ad3bb6321d0b2875cb07f4d3 fbcbbc187e99317c5a36a3667592590a7f5a17d1 ##      ### Related Posts: **[Pawn Storm Campaign Adds Turkey To Its List of Targets](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-adds-turkey-list-targets/)** **[Helper for Haima iOS App Store Adds More Malicious Behavior](http://blog.trendmicro.com/trendlabs-security-intelligence/helper-haima-malicious-behavior/)** **[New Open Source Ransomware Based on Hidden Tear and EDA2 May Target Businesses](http://blog.trendmicro.com/trendlabs-security-intelligence/new-open-source-ransomwar-based-on-hidden-tear-and-eda2-may-target-businesses/)** **[BEBLOH Expands to Japan in Latest Spam Attack](http://blog.trendmicro.com/trendlabs-security-intelligence/bebloh-expands-japan-latest-spam-attack/)** Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: [ENTERPRISE](http://www.trendmicro.com/us/security-intelligence/enterprise-ransomware/index.html) » [SMALL BUSINESS](http://www.trendmicro.com/us/security-intelligence/small-business-ransomware/index.html) » [HOME](http://www.trendmicro.com/us/home/consumer-ransomware/index.html) » Tags: [BLACKGEARELIRKS](http://blog.trendmicro.com/trendlabs-security-intelligence/tag/blackgear/) ----- **0 Comments** **[TrendLabs](https://disqus.com/home/forums/trendlabs/)** [1](https://disqus.com/home/inbox/) **Login**  **Recommend** #### ⤤ Share Sort by Best This discussion has been closed. ✉ **Subscribe** d **[Add Disqus to your site Add Disqus Add](https://publishers.disqus.com/engage?utm_source=trendlabs&utm_medium=Disqus-Footer)** � **[Privacy](https://help.disqus.com/customer/portal/articles/1657951?utm_source=disqus&utm_medium=embed-footer&utm_content=privacy-btn)** #### Featured Stories [Pawn Storm Ramps Up Spear-phishing Before Zero-Days Get Patched](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/) [New Bizarro Sundown Exploit Kit Spreads Locky](http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/) [The Internet of Things Ecosystem is Broken. How Do We Fix It?](http://blog.trendmicro.com/trendlabs-security-intelligence/internet-things-ecosystem-broken-fix/) [CVE-2016-3298: Microsoft Puts the Lid on Another IE Zero-day Used in AdGholas](http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2016-3298-microsoft-fixes-another-ie-zero-day-used-in-adgholas/) Campaign [FastPOS Updates in Time for the Retail Sale Season](http://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-updates-in-time-for-retail-sale-season/) #### Business Email Compromise How can a sophisticated email scam cause more than $2.3 billion in damages to businesses around the world? [See the numbers behind BEC](http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/billion-dollar-scams-the-numbers-behind-business-email-compromise) #### Latest Ransomware Posts [Mobile Ransomware: How to Protect Against It](http://blog.trendmicro.com/trendlabs-security-intelligence/mobile-ransomware-protect/) [Mobile Ransomware: Pocket-Sized Badness](http://blog.trendmicro.com/trendlabs-security-intelligence/mobile-ransomware-pocket-sized-badness/) [HDDCryptor: Subtle Updates, Still a Credible Threat](http://blog.trendmicro.com/trendlabs-security-intelligence/hddcryptor-updates-still-credible-threat/) [Businesses as Ransomware’s Goldmine: How Cerber Encrypts Database Files](http://blog.trendmicro.com/trendlabs-security-intelligence/how-cerber-encrypts-database-files/) [New Bizarro Sundown Exploit Kit Spreads Locky](http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/) #### Recent Posts [Mobile Ransomware: How to Protect Against It](http://blog.trendmicro.com/trendlabs-security-intelligence/mobile-ransomware-protect/) [Home Routers: Mitigating Attacks that can Turn them to Zombies](http://blog.trendmicro.com/trendlabs-security-intelligence/home-routers-mitigating-attacks-that-turn-them-to-zombies/) [Patch Tuesday of December 2016: Microsoft Releases 12 Bulletins, Six Critical](http://blog.trendmicro.com/trendlabs-security-intelligence/patch-tuesday-december-2016-microsoft-releases-12-bulletins-six-critical/) [Leaking Beeps: IT Systems Broadcasting Sensitive Info](http://blog.trendmicro.com/trendlabs-security-intelligence/leaking-beeps-systems-broadcasting-sensitive-info/) [Mobile Ransomware: Pocket-Sized Badness](http://blog.trendmicro.com/trendlabs-security-intelligence/mobile-ransomware-pocket-sized-badness/) #### Ransomware 101 ----- This infographic shows how ransomware has evolved, how big the problem has become, and ways to avoid being a ransomware victim. [Check the infographic](http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-101-what-it-is-and-how-it-works) #### Popular Posts [CEO Fraud Email Scams Target Healthcare Institutions](http://blog.trendmicro.com/trendlabs-security-intelligence/ceo-fraud-email-scams-target-healthcare-institutions/) [One Bit To Rule A System: Analyzing CVE-2016-7255 Exploit In The Wild](http://blog.trendmicro.com/trendlabs-security-intelligence/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild/) [Hacking Team Flash Zero-Day Integrated Into Exploit Kits](http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-integrated-into-exploit-kits/) [Businesses as Ransomware’s Goldmine: How Cerber Encrypts Database Files](http://blog.trendmicro.com/trendlabs-security-intelligence/how-cerber-encrypts-database-files/) [Pawn Storm Ramps Up Spear-phishing Before Zero-Days Get Patched](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/) #### Latest Tweets Common attack types and vulnerabilities in the network can be revealed through leaked pages. Find out how:… [twitter.com/i/web/status/8…](https://t.co/amTg1lFsYn) [about 50 mins ago](http://twitter.com/TrendLabs/status/811013250670362624) Aside from HDDCryptor, other earlier discovered #ransomware families continue to make their presence felt. Details: [bit.ly/2gyB8f5](https://t.co/UnLlPVlTYB) [about 9 hours ago](http://twitter.com/TrendLabs/status/810892724463353856) What are the types of attacks do home networks usually contend with? Here's what we found out:… [twitter.com/i/web/status/8…](https://t.co/fr4zVmqRNC) [about 12 hours ago](http://twitter.com/TrendLabs/status/810847158014459904) #### Stay Updated Email Subscription Your email here Subscribe [Home and Home Office](http://www.trendmicro.com/us/home/index.html) | [For Business](http://www.trendmicro.com/us/business/index.html) | [Security Intelligence](http://www.trendmicro.com/us/security-intelligence/index.html) | [About Trend Micro](http://www.trendmicro.com/us/about-us/index.html) Asia Pacific Region (APAC): [Australia /](http://www.trendmicro.com.au/au/home/index.html) [New Zealand,](http://www.trendmicro.co.nz/nz/home/index.html) [中国,](http://cn.trendmicro.com/cn/home/index.html) [日本,](http://jp.trendmicro.com/jp/home/index.html) [대한민국,](http://www.trendmicro.co.kr/index.html) [台灣](http://tw.trendmicro.com/tw/home/index.html) Latin America Region (LAR): [Brasil,](http://br.trendmicro.com/br/home/index.html) [México](http://la.trendmicro.com/la/home/index.html) North America Region (NABU): [United States,](http://www.trendmicro.com/us/index.html) [Canada](http://ca.trendmicro.com/ca/home/index.html) Europe, Middle East, & Africa Region (EMEA): [France,](http://www.trendmicro.fr/) [Deutschland / Österreich / Schweiz,](http://www.trendmicro.de/) [Italia,](http://www.trendmicro.it/) [Россия,](http://www.trendmicro.com.ru/) [España,](http://www.trendmicro.es/) [United Kingdom / Ireland](http://www.trendmicro.co.uk/) [Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html) [Legal Policies](http://www.trendmicro.com/us/about-us/legal-policies/index.html) Copyright © 2016 Trend Micro Incorporated. All rights reserved. -----