A hyper active and “well-funded”cyberespionage group has been going after Asian targets, aimed at stealing businesses’ technology and trade secrets. Security experts have linked BlackTech to three different cyberespionage campaigns, dubbed PLEAD, Shrowded Crossbow and Waterbear.
The cyberespionage group is reportedly taking advantage of security flaws in outdated software, particularly in older Windows OS versions, as well as using leaked Hacking Team tools in active campaigns.
BlackTech hackers have been spotted using new and different hacking techniques that include unique backdoor implants and exfiltration techniques against various organisations. According to Trend Micro researchers, the three campaigns saw hackers use the same C&C (command and control) servers, similar tools and techniques, which indicate that the campaigns were “operated by the same group”.
The group is involved in campaigns targeting organisations primarily in Taiwan as well as Japan and Hong Kong.
“It is not uncommon, for instance, for a group—especially a well-funded one—to split into teams and run multiple campaigns,” the Trend Micro researchers said. “While most of the campaigns’ attacks are conducted separately, we’ve seen apparently joint operations conducted in phases that entail the work of different teams at each point in the infection chain.”
Top 5 hacker groups that made the internet a battleground
The researchers said BlackTech’s “ulterior motive” is to “steal important documents from their victims”. The hacker group also often went after other seemingly related targets to steal “decoy documents” which were then “used against another target”.
“This indicates that document theft is most likely the first phase of an attack chain against a victim with ties to the intended target,” the Trend Micro researchers added.
BlackTech using leaked Hacking Team tools
One of the exploits used by BlackTech for an Adobe Flash vulnerability (CVE-2015-5119) was reportedly a Hacking Team tool leaked after the spy tech manufacturer was breached.
BlackTech appears to share several similarities with APT12, a cyberespionage group linked to the Chinese military, according to FireEye. However, according to Trend Micro, there’s no definitive evidence to suggest that APT12 and BlackTech are linked.
“We’re seeing a continued investment by this group to keep their malware relevant,” Trend Micro VP Mark Nunnikhoven said, Cyberscoop repoprted. “That’s a strong indicator that this group is having some measure of success.”