Blackgear Cyberespionage Campaign
Target: Public sector agencies, telecommunications companies and other high-technology industries.
Attack Vector: Via phishing email.
Summary: Researchers at TrendMicro have recently observed a continuing cyberespionage campaign from Blackgear. The campaign has been around since 2008 and is based on the Protux backdoor. A notable characteristic now is that instead of having the C2 information embedded within the malware, Blackgear is abusing blogging, microblogging and social media services to hide this configuration.
Blackgear’s attacks have been known to target several different regions and industries, including Japan, South Korea, and Taiwan. The attacks have most commonly targeted public sector agencies, telecommunications companies, and other high-technology industries. Their malware delivery techniques include RAR self-extracting executable (SFX) or office Visual Basic Script to create a decoy document.
The malware is delivered via a phishing email with a decoy document or fake installer file. This decoy document will extract the Marade downloader which saves itself into the Temp folder on the victim’s machine, then increases its file size to over 50MB to bypass traditional sandbox solutions. Marade will check to see if the host is connected to the internet and if there is antivirus installed. If the host is able to connect to the internet and does not have antivirus software, then Marade will take the C2 configuration from a public blog or social media controlled by Blackgear (such as a Facebook pages which was used). If it cannot connect then it will use the C2 configuration embedded in the code. The C2 server sends Protux to the victim’s machine and executes. Protux is a known backdoor which abuses rundll32. It also tests the host’s network connectivity and retrieves the C2 server from another blog.
Analyst Comment: This threat is assessed as 3e MODERATE. The malware has developed and improved upon previous versions and this could indicate that it will continue to make use of modern technology to disguise itself from antivirus software, increasing the likelihood of further attacks. Protux is an old backdoor first seen in 2005 and research has shown that several samples have version numbers embedded. It was initially observed connecting directly to the C2 server, however, it now appears to be making use of encrypted configuration through keywords on social media. As this continuing trend is finding new ways to avoid antivirus and the impact on the brand and reputation of a company if compromised, there is a moderate risk.