Three Separate Cyber Espionage Campaigns Linked to the Same BlackTech Hacker Group

In the past, stealing confidential information from an organization involved employees with ulterior motives looking over their shoulders and rummaging through stacks of files and folders while the boss is having his bathroom break. Things have moved on quite a bit since then. At the moment, everything is stored on PCs and servers, and there are highly trained and sophisticated cyber espionage groups that can exfiltrate any data through the Internet. BlackTech seems to be among the most advanced crews of this sort.

Trend Micro researchers believe that BlackTech is responsible for three information-stealing campaigns that were previously thought to be separate attacks launched by different groups of threat actors. After a lengthy investigation, the experts found similarities in the techniques used and links between the different attacks. The Command and Control (C&C) infrastructure also overlapped in some cases, and while this might not be that uncommon in regular spray-and-pray malware campaigns when the attack is targeted, it could be an important piece of evidence during the attribution process. But what makes BlackTech so special?

Hacker Groups Initiating Original Methods To Launch Damaging Campaigns

For one, their Tactics, Techniques, and Procedures (TTPs) are not exactly off-the-shelf. The group has come up with a number of clever and unusual methods to infect its victims. That said, despite the use of a few exploits, in most cases, the attacks have been initiated through the most trivial weapon in the hackers' arsenal – the spear phishing email.

This presents a problem. We're talking about high-profile targets here, which means that victims are unlikely to click on random EXE files attached to unexpected emails. That's why BlackTech used an old technique called Right-to-Left Override (RTLO) to fool the employees.

Right-to-Left Override is actually a non-printable Unicode character that tells the computer when a piece of text is written in a language that has Right-to-Left orientation. A specific placement of the said character can make an ordinary executable file look like a Word document. For example, renaming "Invoicedoc.exe" and putting the RTLO character in the right place will make the file look like "Invoiceexe.doc." It will still be an executable, however, and if it was sent by BlackTech, it would most likely be a rather powerful backdoor.

BlackTech Hacker Group Adds To The Growing Fray Of Cyber Attacks

The first campaign Trend Micro discussed is called Plead. It started in 2012, and it consists of an eponymous backdoor as well as an information exfiltration tool called Drigo. The Plead backdoor comes with a router scanner which checks the make and model of the router and, if possible, enables its VPN feature. Then, it registers a machine as a virtual server and uses it either as a C&C or as an HTTP server that delivers the malware. Plead has also been seen exploiting vulnerabilities in the victim's server in order to use it for the same purpose.

Once installed, the backdoor can harvest login credentials stored in web browsers and email clients, open a remote shell, upload, execute, and delete files. In the meantime, the Drigo tool uses authentication tokens to connect with Google accounts and either dump the stolen data into a Drive folder or relay it through SMTP.

The Plead campaign shows how technically advanced the BlackTech hackers are. Shrouded Crossbow, another cyber espionage campaign launched by them in 2010, shows that they're well-funded as well.

Shrouded Crossbow incorporates three separate backdoors – Bifrose, Kivars, and Xbow. BlackTech shouldn't get all the credit in this instance, though. Instead of developing the malware from scratch, for this campaign, BlackTech forked out a considerable amount of money to buy Bifrost, a cyber espionage tool that has been around since the early 2000's. They then added and removed certain functionalities in order to make their own backdoors stealthier, lighter, and more suited to their needs. Communication with the C&C is hidden behind the Tor network, and although Bifrose, Kivars, and Xbow are slightly different, they can all perform a number of malicious activities that range from listing drives, to downloading and executing files, to taking screenshots and triggering mouse clicks or keyboard input. Over the years, the campaign has evolved as well. Bifrose, for example, was ported to UNIX-based systems at one point which enabled the hackers to infect a greater number of servers. At the same time, the wider adoption of x64 systems urged them to release a 64-bit variant of Kivars.

The final (for now) cyber espionage campaign Trend Micro linked to BlackTech is called Waterbear. The experts didn't say when it started spreading exactly, but they pointed out that in all probability, this particular backdoor acts as Stage 2 of their attacks. The malware comprised of modified benign files that loaded malicious DLLs. BlackTech knew what sort of software was installed on the victim servers, and they were aware of what the network looked like.

Three separate campaigns, a number of highly sophisticated malicious tools, and an even greater number of victims in the Far East which include government agencies and contractors, financial institutions, as well as companies working in the consumer electronics and healthcare sectors. This is what the BlackTech hackers have managed to bring to the world so far. We're scared to think what they might do next.