**Go to…** **▼** **[Home » Targeted Attacks » Following the Trail of BlackTech’s Cyber Espionage Campaigns](https://blog.trendmicro.com/trendlabs-security-intelligence/)** **Featured Stories** ## Following the Trail of BlackTech’s Cyber Espionage IIS 6.0 Vulnerability Leads to Code Execution Campaigns Winnti Abuses GitHub for C&C Communications **[Posted on: June 22, 2017](https://blog.trendmicro.com/trendlabs-security-intelligence/2017/06/)** **at 5:05** **[Posted in: Targeted Attacks](https://blog.trendmicro.com/trendlabs-security-intelligence/category/targeted_attacks/)** **Author: Trend** **MajikPOS Combines PoS Malware and RATs to Pull** **am** **Micro** **Off its Malicious Tricks** **[New Linux Malware Exploits CGI Vulnerability](http://blog.trendmicro.com/trendlabs-security-intelligence/new-linux-malware-exploits-cgi-vulnerability/)** **3** **[CVE-2017-5638: Apache Struts 2 Vulnerability](http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/)** **_by Lenart Bermejo, Razor Huang, and CH Lei (Threat Solution_** **Leads to Remote Code Execution** **_Team)_** #### Business Process Compromise **BlackTech is a cyber espionage group operating against targets in** **East Asia, particularly Taiwan, and occasionally, Japan and Hong** **Kong. Based on the mutexes and domain names of some of their** **C&C servers, BlackTech’s campaigns are likely designed to steal** **their target’s technology.** **Following their activities and evolving tactics and techniques helped** **us uncover the proverbial red string of fate that connected three** **Attackers are starting to invest in long-** **seemingly disparate campaigns: PLEAD, Shrouded Crossbow, and** **term operations that target specific** **of late, Waterbear.** **processes enterprises rely on. They scout** **for vulnerable practices, susceptible** **Over the course of their campaigns, we analyzed their modus operandi and dissected their tools of the** **systems and operational loopholes that** **they can leverage or abuse. To learn** **trade—and uncovered common denominators indicating that PLEAD, Shrouded Crossbow, and** **[more, read our Security 101: Business Process](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-business-process-compromise)** **Waterbear may actually be operated by the same group.** **Compromise.** **_PLEAD_** **PLEAD is an information theft campaign with a penchant for confidential documents. Active since 2012,** **Business Email Compromise** **it has so far targeted Taiwanese government agencies and private organizations. PLEAD’s toolset** **includes the self-named PLEAD backdoor and the DRIGO exfiltration tool. PLEAD uses spear-phishing** **emails to deliver and install their backdoor, either as an attachment or through links to cloud storage** **services. Some of the cloud storage accounts used to deliver PLEAD are also used as drop off points** **for exfiltrated documents stolen by DRIGO.** **[PLEAD’s installers are disguised as documents using the right-to-left-override (RTLO) technique to](http://krebsonsecurity.com/2011/09/right-to-left-override-aids-email-attacks/)** **obfuscate the malware’s filename. They are mostly accompanied by decoy documents to further trick** **How can a sophisticated email scam cause** **more than $2.3 billion in damages to** **users. We’ve also seen PLEAD use exploits for these vulnerabilities:** **businesses around the world?** **[See the numbers behind BEC](http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/billion-dollar-scams-the-numbers-behind-business-email-compromise)** **[CVE-2015-5119, patched by Adobe last July, 2015](http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/)** **[CVE-2012-0158, patched by Microsoft last April, 2012](http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2012-0158-exploitation-seen-in-various-global-campaigns/)** #### Latest Ransomware Posts **[CVE-2014-6352, patched by Microsoft last October, 2014](http://blog.trendmicro.com/trendlabs-security-intelligence/microsoft-windows-hit-by-new-zero-day-attack/)** **[CVE-2017-0199, patched by Microsoft last April, 2017](http://blog.trendmicro.com/trendlabs-security-intelligence/april-patch-tuesday-microsoft-patches-office-vulnerability-used-zero-day-attacks/)** **[AdGholas Malvertising Campaign](https://blog.trendmicro.com/trendlabs-security-intelligence/adgholas-malvertising-campaign-employs-astrum-exploit-kit/)** #### Employs Astrum Exploit Kit **PLEAD also dabbled with a short-lived, fileless version of their malware when it obtained an exploit for** **[a Flash vulnerability (CVE-2015-5119) that was leaked during the Hacking Team breach.](http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/)** **[Erebus Resurfaces as Linux](https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/)** #### Ransomware Analyzing the Fileless, Code-injecting SOREBRECT Ransomware Victims Lost US$1B to Ransomware After WannaCry, UIWIX Ransomware and Monero-Mining Malware Follow Suit Recent Posts **[Following the Trail of BlackTech’s Cyber Espionage](https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/)** **Campaigns** **[AdGholas Malvertising Campaign Employs Astrum](https://blog.trendmicro.com/trendlabs-security-intelligence/adgholas-malvertising-campaign-employs-astrum-exploit-kit/)** **Exploit Kit** ----- **Microsoft Patches Windows XP Again As Part of** **This infographic shows how ransomware** **has evolved, how big the problem has** **become, and ways to avoid being a** **[Mouse Over, Macro: Spam Run in Europe Uses](https://blog.trendmicro.com/trendlabs-security-intelligence/mouseover-otlard-gootkit/)** **Hover Action to Deliver Banking Trojan** **[Erebus Resurfaces as Linux Ransomware](https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/)** **[Analyzing the Fileless, Code-injecting SOREBRECT](https://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-fileless-code-injecting-sorebrect-ransomware/)** **Analyzing Xavier: An Information-Stealing Ad Library** **[Massive WannaCry/Wcry Ransomware Attack Hits](https://blog.trendmicro.com/trendlabs-security-intelligence/massive-wannacrywcry-ransomware-attack-hits-various-countries/)** **Are cities ready to roll out #IoT on a** **[bit.ly/2rrdJ6v](https://t.co/mNnB0SOG7g)** **New post: Following the Trail of** **BlackTech’s Cyber Espionage Campaigns** **[@TrendMicro](https://www.twitter.com/TrendMicro)** **#Erebus ransomware resurfaces, takes the** **spotlight in our latest #ransomware recap.** **Email Subscription** **Your email here** # bb **Microsoft Patches Windows XP Again As Part of** **June Patch Tuesday** #### Ransomware 101 **This infographic shows how ransomware** **has evolved, how big the problem has** **become, and ways to avoid being a** **ransomware victim.** **[Check the infographic](http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-101-what-it-is-and-how-it-works)** #### Popular Posts **_Figure 1: How PLEAD utilizes compromised routers_** **[Mouse Over, Macro: Spam Run in Europe Uses](https://blog.trendmicro.com/trendlabs-security-intelligence/mouseover-otlard-gootkit/)** **Hover Action to Deliver Banking Trojan** **PLEAD actors use a router scanner tool to scan for vulnerable routers, after which the attackers will** **enable the router’s VPN feature then register a machine as virtual server. This virtual server will be** **[Erebus Resurfaces as Linux Ransomware](https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/)** **used either as a C&C server or an HTTP server that delivers PLEAD malware to their targets.** **[Analyzing the Fileless, Code-injecting SOREBRECT](https://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-fileless-code-injecting-sorebrect-ransomware/)** **Ransomware** **PLEAD also uses CVE-2017-7269, a** **buffer overflow vulnerability Microsoft Internet Information** **Services (IIS) 6.0 to compromise the victim’s server. This is another way for them to establish a new** **Analyzing Xavier: An Information-Stealing Ad Library** **on Android** **C&C or HTTP server.** **[Massive WannaCry/Wcry Ransomware Attack Hits](https://blog.trendmicro.com/trendlabs-security-intelligence/massive-wannacrywcry-ransomware-attack-hits-various-countries/)** **Various Countries** #### Latest Tweets **Are cities ready to roll out #IoT on a** **[massive scale? bit.ly/2rrdJ6v](https://t.co/mNnB0SOG7g)** **[about 3 hours ago](http://twitter.com/TrendLabs/status/877888917277507584)** **_Figure 2: One of the methods PLEAD operators use to distribute their malware_** **New post: Following the Trail of** **BlackTech’s Cyber Espionage Campaigns** **PLEAD’s backdoor can:** **[bit.ly/2rZ2RLz](https://t.co/gvXcJi5Rv9)** **[@TrendMicro](https://www.twitter.com/TrendMicro)** **[about 4 hours ago](http://twitter.com/TrendLabs/status/877859404422500352)** **Harvest saved credentials from browsers and email clients like Outlook** **#Erebus ransomware resurfaces, takes the** **List drives, processes, open windows, and files** **spotlight in our latest #ransomware recap.** **Open remote Shell** **[bit.ly/2tQHfTc](https://t.co/Imp9E211Dz)** **Upload target file** **Execute applications via ShellExecute API** **Delete target file** **PLEAD also uses the document-targeting exfiltration tool DRIGO, which mainly searches the infected** **machine for documents. Each copy of DRIGO contains a refresh token tied to specific Gmail accounts** **used by the attackers, which are in turn linked to a Google Drive account. The stolen files are uploaded** **[about 6 hours ago](http://twitter.com/TrendLabs/status/877843617695490048)** **to these Google Drives, where the attackers can harvest them.** **_Shrouded Crossbow_** #### Stay Updated **This campaign, first observed in 2010, is believed to be operated by a well-funded group given how it** **[appeared to have purchased the source code of the BIFROST backdoor, which the operators enhanced](http://blog.trendmicro.com/trendlabs-security-intelligence/new-targeted-attack-group-buys-bifrose-code-works-in-teams/)** **Email Subscription** **and created other tools from. Shrouded Crossbow targeted privatized agencies and government** **contractors as well as enterprises in the consumer electronics, computer, healthcare, and financial** **Your email here** **industries.** **Shrouded Crossbow employs three BIFROST-derived backdoors: BIFROSE, KIVARS, and XBOW. Like** **PLEAD, Shrouded Crossbow uses spear-phishing emails with backdoor-laden attachments that utilize** **the RTLO technique and accompanied by decoy documents.** **BIFROSE, known for evading detection by communicating with its C&C servers via Tor protocol, also** **[has a version targeting UNIX-based operating systems which are usually used in servers](http://blog.trendmicro.com/trendlabs-security-intelligence/threat-actors-behind-shrouded-crossbow-creates-bifrose-for-unix/)** ----- |C&C Server|PLEAD|Shrouded Crossbow|Waterbear| |---|---|---|---| |itaiwans[.]com|Yes|No|Yes| |microsoftmse[.]com|Yes|Yes|No| |211[.]72[.]242[.]120|Yes|Yes|No| |rking together:|Col2|Col3| |---|---|---| ||PLEAD|Shrouded Crossbow| |Samples from the same group using the same filename|Loader component named after its target, i.e. {target name}.exe|Loader component named after its target, i.e. {target name}.exe or {target name}64.exe| |Backdoors using the same C&C servers|Connected to 211[.]72[.]242[.]120:53|Connected to 211[.]72[.]242[.]120:443| |Timeline indicating arrival order|Arrived two days after initial infection by SC|Established presence two years prior, but re-infected at a recent time| |Col1|PLEAD|Shrouded Crossbow|Waterbear| |---|---|---|---| |Samples found in same machine|vmdks.exe|cfbcjtqx.dll|tpauto.dll| |Timeline of infection|3/16/2017|2/23/2017|3/8/2017| **[windows, and trigger mouse clicks and keyboard inputs. A 64-bit version of KIVARS also emerged to](http://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/)** **keep pace with the popularity of 64-bit systems. XBOW’s capabilities are derived from BIFROSE and** **KIVARS; Shrouded Crossbow gets its name from its unique mutex format.** **_Waterbear_** **Waterbear has actually been operating for a long time. The campaign’s name is based on its malware’s** **capability to equip additional functions remotely.** **Waterbear similarly employs a modular approach to its malware. A loader component executable will** **connect to the C&C server to download the main backdoor and load it in memory. A later version of this** **[malware appeared and used patched server applications as its loader component, while the main](http://blog.trendmicro.com/trendlabs-security-intelligence/attack-gains-foothold-against-east-asian-government-through-auto-start/)** **backdoor is either loaded from an encrypted file or downloaded from the C&C server.** **The tactic it later adopted required prior knowledge of their targets’ environment. It’s possible attackers** **used Waterbear as a secondary payload to help maintain presence after gaining some levels of access** **into the targets’ systems.** **_All Roads Lead to BlackTech_** **Based on the use of the same C&C servers, the campaigns’ coordinated efforts, and similarities in** **tools, techniques, and objectives, we can conclude that they are operated by the same group. It is not** **uncommon, for instance, for a group—especially a well-funded one—to split into teams and run** **multiple campaigns. While most of the campaigns’ attacks are conducted separately, we’ve seen** **apparently joint operations conducted in phases that entail the work of different teams at each point in** **the infection chain.** **_Use of the Same C&C Servers. In several instances, we found the campaigns’ malware_** **communicating with the same C&C servers. In targeted attacks, C&C servers are typically not shared** **with other groups. Here are some of the C&C servers we found that are shared by the campaigns:** **C&C Server** **PLEAD** **Shrouded Crossbow** **Waterbear** **itaiwans[.]com** **Yes** **No** **Yes** **microsoftmse[.]com** **Yes** **Yes** **No** **211[.]72[.]242[.]120** **Yes** **Yes** **No** **_Table 1: C&C servers shared by PLEAD, Shrouded Crossbow, and Waterbear_** **Additionally, the IP 211[.]72 [.]242[.]120 is one of the hosts for the domain microsoftmse[.]com, which** **has been used by several KIVARS variants.** **_Joint Operations. We also found incidents where the backdoors were used on the same targets. While_** **it’s possible for separate groups to attack at the same time, we can construe at they are at least** **working together:** **PLEAD** **Shrouded Crossbow** **_Samples from the same_** **Loader component named** **Loader component named** **_group using the same_** **after its target, i.e. {target** **after its target, i.e. {target** **_filename_** **_name}.exe_** **_name}.exe or {target_** **_name}64.exe_** **_Backdoors using the same_** **Connected to** **Connected to** **_C&C servers_** **211[.]72[.]242[.]120:53** **211[.]72[.]242[.]120:443** **_Timeline indicating arrival_** **Arrived two days after initial** **Established presence two** **_order_** **infection by SC** **years prior, but re-infected at** **a recent time** **_Table 2: Incident where PLEAD and KIVARS attack the same target_** **PLEAD** **Shrouded** **Waterbear** **Crossbow** **_Samples found in_** **_vmdks.exe_** **_cfbcjtqx.dll_** **_tpauto.dll_** **_same machine_** **_Timeline of infection_** **3/16/2017** **2/23/2017** **3/8/2017** **_Table 3: Incidents where PLEAD, KIVARS, and Waterbear were used on the same target_** **_Similarities between tools and techniques. PLEAD and KIVARS, for instance, share the use of_** **RTLO techniques to disguise their installers as documents. Both also use decoy documents to make** **the RTLO attack more convincing. Another similarity is the use of a small loader component to load** **encrypted backdoors into memory.** **_Similar Objectives. The ulterior motive of these campaigns is to steal important documents from their_** **victims; initial recipients of their attacks are not always their primary target. For instance, we saw** **several decoy documents stolen by the attackers that are then used against another target. This** **indicates that document theft is most likely the first phase of an attack chain against a victim with ties to** ----- **Based on the type of documents stolen by these campaigns, we can get a clearer view of who they re** **targeting and compromising, the purpose of their campaigns, and when they take place. Below are** **some of the categories or labels of the stolen documents:** **Address book** **Internal affairs** **Budget** **Laws** **Business** **Livelihood economy** **Contract** **Meeting** **Culture** **Official letter** **Defense** **Password list** **Education** **Performance appraisal** **Energy** **Physical culture** **Foreign affairs** **Press release** **Funding application** **Public security** **Human affairs** **Schedule** **_Enterprises Need to be Proactive_** **PLEAD, Shrouded Crossbow, and Waterbear are still actively mounting their campaigns against its** **targets, which is why organizations must proactively secure their perimeter.** **IT/system administrators and information security professionals can consider making a checklist of** **what to look out for in the network for any signs of anomalies and suspicious behavior that can indicate** **[intrusions. Adopting best practices and employing multilayered security mechanisms and strategies](https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/form-strategies-based-on-these-targeted-attack-stages)** **[against targeted attacks are also recommended. Network traffic analysis, deployment of firewalls and](https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/network-traffic-analysis-can-stop-targeted-attacks)** **[intrusion detection and prevention systems, network segmentation, and data categorization are just](http://blog.trendmicro.com/trendlabs-security-intelligence/identifying-and-dividing-networks-and-users/)** **some of them.** **_Trend Micro Solutions_** **[Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to](http://www.trendmicro.com/us/enterprise/security-risk-management/deep-discovery/)** **today’s stealthy malware, and targeted attacks in real-time. It provides a comprehensive defense** **tailored to protect organizations against targeted attacks and advanced threats through specialized** **[engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to](http://blog.trendmicro.com/trendlabs-security-intelligence/deploying-a-smart-sandbox-for-unknown-threats-and-zero-day-attacks/)** **detect threats like the above mentioned zero-day attacks even without any engine or pattern update.** **[Trend Micro™ Deep Security™ and Vulnerability Protection provide virtual patching that protects](http://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/index.html)** **[endpoints from threats that abuses unpatched vulnerabilities. OfficeScan’s Vulnerability Protection](http://www.trendmicro.com/us/enterprise/product-security/officescan/)** **shield endpoints from identified and unknown vulnerability exploits even before patches are deployed.** **[Trend Micro™ Smart Protection for Endpoints with Maximum XGen™ security infuses high-fidelity](https://www.trendmicro.com/en_us/business/products/user-protection/sps.html?cm_mmc=VURL:www.trendmicro.com-_-VURL-_-/us/enterprise/network-security/interscan-web-security/index.html-_-1:1)** **machine learning into a blend of threat protection techniques to eliminate security gaps across user** **activity and any endpoint—the broadest possible protection against advanced attacks.** **An overview and analysis of the various malware used by PLEAD, Shrouded Crossbow, and** **Waterbear, along with their Indicators of Compromise (hashes, C&Cs), can be found in this technical** **brief.** ### Related Posts: **[BLACKGEAR Espionage Campaign Evolves, Adds Japan To Target List](https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/)** **[How Cyber Propaganda Influenced Politics in 2016](https://blog.trendmicro.com/trendlabs-security-intelligence/cyber-propaganda-influenced-politics-2016/)** **[Can Internet of Things be the New Frontier for Cyber Extortion?](https://blog.trendmicro.com/trendlabs-security-intelligence/can-internet-of-things-be-the-new-frontier-for-cyber-extortion/)** **[What’s In Shodan? Analyzing Exposed Cyber Assets in the United States](https://blog.trendmicro.com/trendlabs-security-intelligence/whats-shodan-analyzing-exposed-cyber-assets-united-states/)** **Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:** ----- **cyber** **Tags:** **[BlackTech](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/blacktech/)** **espionage** **Shrouded** **[PLEAD](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/plead/)** **Crossbow** **[Waterbear](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/waterbear/)** **[HOME AND HOME OFFICE](http://www.trendmicro.com/us/home/index.html)** **|** **[FOR BUSINESS](http://www.trendmicro.com/us/business/index.html)** **|** **[SECURITY INTELLIGENCE](http://www.trendmicro.com/us/security-intelligence/index.html)** **|** **[ABOUT TREND MICRO](http://www.trendmicro.com/us/about-us/index.html)** **[Asia Pacific Region (APAC): Australia / New Zealand, 中国, ⽇本, 대한민국](http://www.trendmicro.com.au/au/home/index.html)** **[, 台灣](http://tw.trendmicro.com/tw/home/index.html)** **[Latin America Region (LAR): Brasil, México](http://br.trendmicro.com/br/home/index.html)** **[North America Region (NABU): United States, Canada](http://www.trendmicro.com/us/index.html)** **[Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland](http://www.trendmicro.fr/)** **[Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html)** **[Legal Policies](http://www.trendmicro.com/us/about-us/legal-policies/index.html)** **Copyright © 2017 Trend Micro Incorporated. All rights reserved.** -----