{ "id": "bf92d368-8d7e-4594-87f6-4abef576243f", "created_at": "2026-04-06T00:19:54.150134Z", "updated_at": "2026-04-10T03:32:09.276906Z", "deleted_at": null, "sha1_hash": "eefe398c114ddbed11c97fdc1ab2d684b4193d0e", "title": "F5 BIG-IP Vulnerability (CVE-2022-1388) Exploited by BlackTech - JPCERT/CC Eyes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1735164, "plain_text": "F5 BIG-IP Vulnerability (CVE-2022-1388) Exploited by BlackTech\r\n- JPCERT/CC Eyes\r\nBy 朝長 秀誠 (Shusei Tomonaga)\r\nPublished: 2022-09-14 · Archived: 2026-04-05 12:53:29 UTC\r\nBlackTech\r\nAround May 2022, JPCERT/CC confirmed an attack activity against Japanese organizations that exploited F5\r\nBIG-IP vulnerability (CVE-2022-1388). The targeted organizations have confirmed that data in BIG-IP has been\r\ncompromised. We consider that this attack is related to the activities by BlackTech attack group. This blog article\r\ndescribes the attack activities that exploit this BIG-IP vulnerability.\r\nAttack code that exploits the BIG-IP vulnerability\r\nBelow is a part of the attack code used in the attack. This attack tool enables attackers to execute arbitrary\r\ncommands on BIG-IP.\r\nhttps://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html\r\nPage 1 of 9\n\nFigure 1: A part of the confirmed code that exploits the BIG-IP vulnerability\r\nFigure 1 (grayed-out part) shows that multiple domestic BIG-IP IP addresses were listed in the attack code and\r\nthat they were the target of the attack. The attack code as well as malware such as TSCookie and Bifrose, which is\r\nused by BlackTech, were found on the server used by the attacker.\r\nFigure 2: Server where attack code was installed\r\nIn addition to known malware, new unidentified malware was discovered on this server, which is described in the\r\nfollowing section.\r\nHipid\r\nThis malware targets Linux OS, and two types have been identified: one with a CPU architecture compatible with\r\nARM and the other with x64. It is unclear what type of device it was created to run on, but it is possibly intended\r\nfor IoT devices.\r\nhttps://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html\r\nPage 2 of 9\n\nFigure 3: A part of malware code (left: ARM type, right: x64 type)\r\nThis malware has a function to receive commands from the C2 server and execute arbitrary commands. It uses a\r\nhost command, not a system call, to resolve host names.\r\nFigure 4: A part of the code to execute the host command\r\nThere are also two types in terms of sending data: one of them sends data with RC4 encryption and the other sends\r\ndata as it is. Some samples of the former have a unique behavior of sending the S-Box data used for encryption to\r\nthe server.\r\nhttps://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html\r\nPage 3 of 9\n\nFigure 5: A part of the code that sends S-Box data to the server\r\nDistribution of Hipid using malicious PyPI packages\r\nAlthough this is not directly related to the attack that exploits the BIG-IP vulnerability, JFrog reports that the same\r\ntype of malware as the one described above was registered as a malicious PyPI package in the past[1]. Figure 6\r\nshows the contents of the malicious package's setup.py . The attacker may not have taken control of the existing\r\npackage but installed malware on PyPi to install the package on the compromised system.\r\nhttps://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html\r\nPage 4 of 9\n\nFigure 6: Contents of setup.py\r\nThe malware itself was included in __init.py__ encoded in Base32 as shown in Figure 7. The malware is\r\ninstalled after decoding, overwriting /usr/sbin/syslogd .\r\nhttps://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html\r\nPage 5 of 9\n\nFigure 7: Base64-encoded malware\r\nIn addition, the mount command is used for the malware process to run to hide the process, as shown in Figure 8.\r\nFigure 8: Process hiding using the mount command\r\nIn closing\r\nThe incident described in this report is currently under control and is no longer influential in many environments.\r\nBlackTech has been observed in a number of cases in recent years in which vulnerabilities in externally accessible\r\nsystems are exploited. In the case described here, the vulnerability was exploited shortly after it was disclosed,\r\nand thus patch management continues to be important.\r\nhttps://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html\r\nPage 6 of 9\n\nShusei Tomonaga\r\n(Translated by Takumi Nakano)\r\nAcknowledgments\r\nWe would like to thank JFrog Shachar Menashe for his assistance with this study.\r\nReferences\r\n[1] JFrog Discloses 3 Remote Access Trojans in PyPI\r\n  https://jfrog.com/blog/jfrog-discloses-3-remote-access-trojans-in-pypi/\r\nAppendix A: C2 servers\r\n139.180.201.6\r\n108.160.138.235\r\n108.160.132.108\r\nnaaakkk.wikaba.com\r\nntstore.hosthampster.com\r\nblog.mysecuritycamera.com\r\n139.162.112.74\r\nAppendix B: Malware hash value\r\n9603b62268c2bbb06da5c99572c3dc2ec988c49c86db2abc391acf53c1cccceb\r\ncb1a536e11ae1000c1b29233544377263732ca67cd679f3f6b20016fbd429817\r\n3d18bb8b9a5af20ab10441c8cd40feff0aabdd3f4c669ad40111e3aa5e8c54b8\r\n朝長 秀誠 (Shusei Tomonaga)\r\nSince December 2012, he has been engaged in malware analysis and forensics investigation, and is especially\r\ninvolved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security\r\nmonitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV,\r\nBlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer.\r\nRelated articles\r\nhttps://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html\r\nPage 7 of 9\n\nMultiple Threat Actors Rapidly Exploit React2Shell: A Case Study of Active Compromise\r\nUpdate on Attacks by Threat Group APT-C-60\r\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nhttps://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html\r\nPage 8 of 9\n\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html\r\nhttps://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html" ], "report_names": [ "bigip-exploit.html" ], "threat_actors": [ { "id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805", "created_at": "2023-07-20T02:00:08.724751Z", "updated_at": "2026-04-10T02:00:03.341845Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "MISPGALAXY:APT-C-60", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854", "created_at": "2024-12-28T02:01:54.668462Z", "updated_at": "2026-04-10T02:00:04.564201Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "ETDA:APT-C-60", "tools": [ "SpyGlace" ], "source_id": "ETDA", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434794, "ts_updated_at": 1775791929, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eefe398c114ddbed11c97fdc1ab2d684b4193d0e.pdf", "text": "https://archive.orkl.eu/eefe398c114ddbed11c97fdc1ab2d684b4193d0e.txt", "img": "https://archive.orkl.eu/eefe398c114ddbed11c97fdc1ab2d684b4193d0e.jpg" } }