BlackTech

BlackTech is a threat actor with a history of long-running espionage campaigns against corporate targets. The group has a non-exclusive focus on Asian companies and leverages sophisticated, custom-made threats and general-purpose tools for collecting information from systems. Users should be on guard for likely infection vectors like e-mail attacks and use dedicated security software for removing all BlackTech software.

Watching Some of the Blackest Technology in Cyber-Espionage

While profit or governmental interests remain the stakes, one can anticipate future hacking campaigns from well-funded threat actors like the Rampant Kitten APT, the Lotus Blossom APT or Vicious Panda. Many of these entities, such as Vicious Panda, are believed beneficiaries of Chinese state sponsorship widely. Whether this is true of BlackTech or not, this group of hackers conforms to many of the expectations of network hackers operating at that nation's behest certainly.

BlackTech or Palmerworm's actions seem to begin since around 2013, although many analyses of their tools, such as the Plead Backdoor Trojan, start in 2019. The group takes ownership of both the Plead Backdoor and Kivars, but more recent attacks leverage brand-new threats, such as Consock, Dalwit and Waship. The majority of these Trojans, including backdoor features for letting attackers survey and control compromised systems, are in-house and attributable solely to the BlackTech organization.

However, malware experts also dub BlackTech amenable of using living-off-the-land or LOLbin style software and features, including WinRAR for archiving stolen files, and networking utilities like SNScan and PSExec. The duration of campaigns can be days, weeks, or months, depending on the targets. Concerning regional preferences, BlackTech shows a high interest in Asian companies, including China, and targets entities in other environments, even as distant as the United States periodically.

Overall, malware experts note the highest degree of apparent interest from BlackTech versus specific industries: telecommunications media, construction and finance. In these cases, attackers monitored compromised networks for up to months at a time, exfiltrating valuable data periodically.

Lightening Up a BlackTech Trojan Story

The sophistication and experience that drives BlackTech's team aren't insignificant. Attackers may use social engineering with highly-detailed lures for custom targets, along with hiding their payloads with the expensive investment of signed digital certificates. Symptoms of BlackTech's reconnaissance may not be at all evident to any users while it's ongoing, and malware experts, instead, recommend acting for preventing attacks from the outset.

Workers in at-risk industries can heighten the safety of their systems with typical security precautions particularly, including:

• Being cautious of possible phishing e-mails. These e-mails may pretend that they're from well-known contacts or companies, with disguised attacks embedded in macro-abusing documents or obfuscated website links.
• Maintaining updated software to reduce all vulnerabilities (CVE-2017-0145, CVE-2019-11581, etc.) to a bare minimum.
• Avoiding passwords that attackers could breach with dictionary attacks.
• Securing all RDP (Remote Desktop Protocol) features and software.

The presence of dedicated security software also defends users semi-passively and can block many drive-by-download attacks. It also provides disinfection methods for any BlackTech threats that require removal.

BlackTech is a very adaptive and specialized hacking group that operates with the same professionalism as any business. While most industry clashes are less overtly hostile than a backdoor Trojan's installation, it goes to show that those who are lazy in their maintenance practices can end up owning a hollowed-out shell of a business.