### An analysis of recent BlackTech operations & an open directory full of exploits ###### Sveva Vittoria Scenarelli and Adam Prescott October 2021 ----- ###### Senior Cyber Threat Intelligence Analyst APAC-based APTs Infrastructure hunter CONFidence 2021&2020 VirusBulletin 2020 Cyberpunk @cyberoverdrive Malware Reverse Engineering Lead C2 protocols Obfuscation techniques IDA automations @malworms ----- ###### A history of BlackTech (PwC alias: Red Djinn) Intrusion chain analysis ● Document lures ● Macros ● Flagpro ● BTSDoor ● Infrastructure The open directory ● Times.exe ● Citrix exploit ● Mikrotik exploits ● Other tools Back to Black(Tech) ----- #### y **BlackTech uses** **router-level MitM** **attack to deploy** **Industry Company** **digital certificate** **2010: Shrouded** **Crossbow first** **operations begin** |Col1|2 C o| |---|---| ||| |Col1|2 n T| |---|---| ||| |Col1|l| |---|---| ||| |s r, w|Col2| |---|---| ||| |ar e g|Col2| |---|---| ||| |r o W, o a|Col2| |---|---| ||| |Col1|v f| |---|---| ||| **First known** **ELF variants of** **TSCookie and** **PLEAD used in** ----- ###### Spearphishing email BlackTech sends an email to the target, spoofing the address of a legitimate company. ###### Malicious Excel document The Excel file is protected with a password, and asks the user to “Enable content” to view the page. ###### VBA macros ###### Macros concatenate a decimal-encoded array and decode it to a PE payload, then drop it in the Startup folder. ###### Victim profiling ###### BlackTech can issue commands, such as whoami, to Flagpro implants to profile the infected victim. ###### BTSDoor ###### Flagpro downloader The downloader can perform C2 via the IWebBrowser2 interface and execute basic commands. ###### If the victim is of interest to the threat actor, Flagpro can download and execute a backdoor. ----- |SHA-256|ba27ae12e6f3c2c87fd2478072dfa274 7d368a507c69cd90b653c9e707254a1d| |---|---| |Filename|线路信息.xlsm| |File type|MS Excel document| |Creation date|2006-09-16 00:00:00| |Last modified date|2021-07-14 02:40:12| ----- ###### Malicious document requires victim to “Enable content” hence need trust from target Decodes decimal-encoded string to EXE, drops into Startup as dwm.exe to execute on reboot In other macros, the payload is immediately executed via ShellExecute 2018 and 2020: dropping TSCookie, likely to target Taiwan 2021: dropping FlagPro ###### 2018 and 2020: dropping TSCookie, likely to target Taiwan FlagPro ----- ###### 32-bit executable Persistence Written by the dropper macros to the Startup folder Mutex 71564__40Fllk293_DD71_4715_A3177782516DB5__71564_ Other samples have very similar ones (only the first-to-last chunk of the mutex string changes) Download files Writes data received from the C2 to the path %TEMP%\MY[random chars].tmp. Can then append .exe extension to the file and execute Backdoor status strings Lots of strings left in plaintext in the downloader: |Filename|dwm.exe| |---|---| |File type|Win32 EXE| |Compile timestamp|2021-06-22 07:01:31| |File size|467,968 bytes| ----- ----- ###### IWebBrowser2 interface C2 responses Base64-encoded commands, for example Exec|Exec|cmd.exe /c "whoami "|600000 URLs ● index.htmld?flag= [base64 results of the command received from the C2] ● index.htmld?flagpro= [base64 results of the enumerated credentials] ----- ###### 32-bit executable No persistence mechanisms Becomes inactive if its C2 resolves to: 111.111.111[.]111 or 222.222.222[.]222 Relatively few strings, no obfuscation |SHA-256|ee6ed35568c43fbb5fd510bc86374221 6bba54146c6ab5f17d9bfd6eacd0f796| |---|---| |Filename|ChtIME.exe| |File type|Win32 EXE| **Compile timestamp** 2018-09-20 07:30:16 ###### 2018 sample ----- ----- ###### Domain naming themes: ●update ●product (CentOS, McAfee, Symantec) ----- ###### Pivoting on one of the domains, update[.]centosupdates[.]com led us to tweets by user @r3dbU7z showing the contents of an open directory in May and July 2021 Several files from it are on VirusTotal Contents: ● Known BlackTech tools: ○ Consock ○ FlagPro ● Exploits ● Vulnerability scanner ● Post-exploitation utilities ###### Several files added to the folder be tween May (above) / July (right) - notably, folders ccc.zip, chajian.rar, poc.rar, PocList-main (new).zip Also added: Consock Flagpro and ###### Several files added to the folder be tween May (above) / July (right) - notably, folders ccc.zip, chajian.rar, poc.rar, PocList-main (new).zip Also added: Consock Flagpro and ----- ###### Win32 interactive GUI implant controller Version 1.2 as compiled on 25th February 2021 Controller for Consock (depending on hardcoded password) **File size** 3,284,992 bytes ###### “Setting” requires: ●a port to listen on; ●seconds to listen for; ●a password. ----- ###### Designed for a Chinese language pack -> If system is configured in another language, resources won’t display Requires a specific password to start the server Range of commands: ● Gathering user and victim system information (incl. Virtual Machine detection and whether it’s a workstation, a DC… ● Executing operator-defined shell commands ● Filesystem interaction; ● Warning the controller’s operator of the presence of antivirus programs on the victim machine; ● Compressing and exfiltrating files chosen by the operator. ###### PICTURES HERE ----- ###### Exploits for known CVEs in routers, cloud platforms, and databases All the exploits are implemented in the pocsuite3 framework Most exploits reference the Chinese vulnerability and exploit database Seebug Most of these vulnerabilities first submitted to Seebug in April 2021 (e.g. Oracle weblogic released in April, vuln score 7.5) |Folder name|Contents| |---|---| |Cisco CVE-2021-1472 + CVE-2021-1473|Cisco RV series Authentication Bypass and Remote Command Execution exploit| |Hongdian CVE-2021-28149 + CVE-2021-28152|Hongdian H8922 router Directory Traversal and Remote Command Execution as root exploit| |Ricon Telnet RCE|Described in the code as “ricon industrial router telnet backdoor rce”| |VMWare vRealize RCE CVE-2021-21975 + CVE-2021-21983|VMware vRealize Operations Unauthenticated code execution exploit| |Oracle weblogic 10.3.x RCE|Weblogic ‘marshallobject’ RCE exploit| |Weblogic RCE CVE-2021-2135|Oracle WebLogic Server unauthenticated access and takeover exploit| ----- ###### An exploit for a Citrix NetScaler vulnerability. Similar ones have been explored here: https://blog.unauthorizedaccess.nl/2020/07/07/adventures-in-citrix-security-research.html ----- ----- ----- #### g g ###### Targeted sectors BlackTech focus **Government** **Financial services** **Media** **Engineering /** **Construction** **Manufacturing** **Professional /** **Managed services** ###### BlackTech is a China-based, espionage-motivated threat actor. Some of it main aims include: ● stealing intellectual property and proprietary technologies; ● gathering information about the activities of companies of interest; ● compromising governments (including the Taiwanese one) and entities relevant to Chinese strategic objectives. Targeting has concentrated on Taiwan, occasionally Japan and Hong Kong, but also includes China and the US. ###### All eyes are on Taiwan as a crucial supplier of semiconductors, as well as on Japanese manufacturing. ----- ###### Attribution is never as simple as just one item or just one connection ● Macros (Excel in both cases) seen in 2018 dropping TSCookie now Flagpro ● Arrived at open directory by pivoting from BlackTech infrastructure ● Open directory contained: ○ Consock, attributed firmly to BlackTech due to ties to previous infrastructure ○ Flagpro (substantiating the link) ● Targeting of Chinese subsidiaries of Japanese companies, MSPs ----- # Thank you! ##### For any questions... ###### @cyberoverdrive pwc.co.uk/cybersecurity @malworms This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for ----- ----- ###### ‘Plead malware distributed via MitM attacks at router level, misusing ASUS WebStorage’, ESET: Anton Cherepanov, **[https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/](https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/)** (14th May 2019) ###### ‘Malware Used by BlackTech after Network Intrusion’, JPCERT: Shusei Tomonaga, https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html (18th September 2019) ‘Downloader IconDown used by the attack group BlackTech, JPCERT: Shintaro Tanaka, **[https://blogs.jpcert.or.jp/ja/2019/10/IconDown.html (23rd October 2019)](https://blogs.jpcert.or.jp/ja/2019/10/IconDown.html)** ###### ‘Waterbear Returns, Uses API Hooking to Evade Security’, Trendmicro: Vickie Su, Anita Hsieh, Dove Chiu, **[https://www.trendmicro.com/en_gb/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html](https://www.trendmicro.com/en_gb/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html)** (11th December 2019) ###### ‘Evil hidden in shellcode: The evolution of DBGPrint’, Team T5: CiYi "YCY" Yu, Aragorn Tseng, **[https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf (January 2020)](https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf)** ###### ‘ELF_TSCookie - Linux Malware Used by BlackTech’, JPCERT: Shusei Tomonaga, https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html (5th March 2020) ‘調查局首度揭露國內政府委外廠商成資安破口的現況,近期至少10個公家單位與4家資訊服務供應商遇害’, ITHome: Luo Zhenghan, https://www.ithome.com.tw/news/139504 (19th August 2020) ----- ###### ‘Taiwan urges blocking 11 China-linked phishing domains’, Taiwan News: Sophia Yang, https://www.taiwannews.com.tw/en/news/3991160 (20th August 2020) ###### ‘Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors’, Symantec, **[https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt)** (29th September 2020) ###### ‘Taiwan Government Targeted by Multiple Cyberattacks in April 2020’, Cycraft Technology Corp, **[https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-1980acde92b0 (8th October 2020)](https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-1980acde92b0)** ###### ‘ELF_PLEAD - Linux Malware Used by BlackTech’, JPCERT: Shusei Tomonaga, https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html (16th November 2020) ‘BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech’, PaloAlto Unit42: Mike Harbison, **[https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/ (9th February 2021)](https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/)** ###### ‘Exposing the Password Secrets of Internet Explorer’, SecurityXploded, https://securityxploded.com/iepasswordsecrets.php ‘Adventures in Citrix security research’, Unauthorized Access Blog: Donny Maasland, [https://blog.unauthorizedaccess.nl/2020/07/07/adventures-in-citrix-security-research.html (7th July 2020)](https://blog.unauthorizedaccess.nl/2020/07/07/adventures-in-citrix-security-research.html) -----