QUICKLOOK: BlackTech: A Persistent Cyber Espionage Threat in East Asia
Unveiling the Evolution and Connections of PLEAD, Shrouded Crossbow, and Waterbear Campaigns
BLUF
BlackTech has been confirmed to be a state-sponsored APT group with links to the Chinese Ministry of State Security (MSS) and potentially the People's Liberation Army (PLA). The group's activities align with the strategic interests of the Chinese government, targeting sectors such as government, industrial, technology, media, electronics, telecommunication, and defense. BlackTech is notorious for its sophisticated malware arsenal, including the Waterbear and Deuterbear malware families, which employ advanced evasion techniques and a distributed command and control (C2) infrastructure.
Sources: CISA, The Hacker News.
Assessment
BlackTech Overview
Also known as CIRCUIT PANDA, Earth Hundun, G0098, HUAPI, Manga Taurus, Palmerworm, Red Djinn, T-APT-03, and Temp.Overboard, BlackTech is a cyber espionage group targeting East Asia, particularly Taiwan, Japan, and Hong Kong. Their campaigns are designed to steal technology from their targets, using sophisticated tactics and techniques.
Notable Campaigns:
PLEAD: Active since 2012, PLEAD targets Taiwanese government agencies and private organizations. It uses spear-phishing emails to deliver the PLEAD backdoor and DRIGO exfiltration tool, often leveraging cloud storage accounts for malware delivery and document exfiltration. PLEAD actors also use router scanner tools to identify and exploit vulnerable routers, enabling them to set up virtual servers for command and control (C&C) or malware delivery.
Shrouded Crossbow: Details of this campaign are less well-known but are connected to BlackTech’s ongoing espionage activities.
Waterbear: A sophisticated malware family known for its extensive evasion techniques and persistence mechanisms.
Waterbear: A Versatile and Evasive Threat
First discovered in 2009, Waterbear is a highly complex malware that has undergone numerous updates over the years, showcasing Earth Hundun's commitment to refining their tools. Waterbear's primary objective is to establish a persistent foothold on infected systems, enabling the attackers to steal sensitive data, deploy additional malware, and launch further attacks.
Notable Features:
Anti-debugging and anti-sandboxing: Waterbear employs sophisticated methods to detect and avoid running in debugging environments or sandboxes, making it challenging for security researchers to analyze its behavior.
Dynamic code resolution: By resolving certain code elements at runtime, Waterbear complicates static analysis efforts, as the malware's full functionality cannot be easily discerned from its code alone.
Persistence mechanisms: Waterbear utilizes various techniques to ensure it remains active on infected systems, even after reboots or attempts to remove it. This allows Earth Hundun to maintain long-term access to compromised networks.
Distributed command and control (C2) infrastructure: Waterbear communicates with a network of geographically dispersed C2 servers, making it more difficult for defenders to detect and block malicious traffic.
While the specific payloads delivered by Waterbear are still under investigation, security experts suspect that the malware can download and execute a wide range of malicious tools, including:
Remote Access Trojans (RATs): These powerful tools grant attackers complete control over compromised systems, enabling them to steal data, install additional malware, and pivot to other machines on the network.
Information stealers: Waterbear may deploy malware designed to harvest sensitive data, such as login credentials, financial information, and intellectual property, which can be used for espionage or sold on the dark web.
Cryptominers: Earth Hundun could leverage Waterbear to install cryptocurrency mining software on infected machines, transforming them into unwitting revenue streams for the attackers.
Deuterbear: The Next Generation of Earth Hundun Malware
In recent months, security researchers have identified a new variant of Earth Hundun's malware arsenal, dubbed Deuterbear. Although details are still emerging, initial analysis suggests that Deuterbear is a successor to Waterbear, potentially boasting enhanced capabilities and even more robust evasion techniques.
Notable Changes in Deuterbear:
Executed only during specific times, likely to avoid behavioral analysis
Enhanced anti-memory scanning that encrypts/decrypts functions in new virtual memory
Encrypted downloader path and decryption keys stored in registry
Use of CryptUnprotectData API for downloader decryption instead of just salted RC4
HTTPS communication with modified packet header structure
RC4 keys for C2 traffic generated by the server instead of the victim
Final RAT payload delivered in shellcode format rather than a PE file
These advancements demonstrate Earth Hundun's efforts to further obfuscate Deuterbear's behavior and hinder analysis by security researchers.
Deuterbear Network Behavior
Based on Trend Micro's analysis, Deuterbear employs a multi-step process to establish HTTPS communication with its command and control (C2) servers and download the RAT payload:
The Deuterbear downloader establishes an HTTPS connection with the C2 server.
It sends an RSA public key to the C2 server for encrypting future communications.
The C2 server responds with two RC4 keys (RC4_KEY_1 and RC4_KEY_2) encrypted using the provided RSA key. RC4_KEY_1 is used for victim to C2 traffic, while RC4_KEY_2 is for C2 to victim communications.
The downloader verifies the RC4 decryption by sending an encrypted download request containing a signature.
If verified, the C2 server sends back the RAT payload size.
The C2 server then delivers the RAT payload in chunks, encrypted with RC4_KEY_2, until the transfer is complete.
This complex communication protocol, leveraging both asymmetric (RSA) and symmetric (RC4) encryption, allows Deuterbear to evade network-based detection while securely retrieving its next stage payload.
Deuterbear Configuration Structure
Trend Micro's research also provides insights into Deuterbear's configuration structure, which contains various settings and data used by the malware:
Key Components:
Signature and version information
Encryption keys and algorithms
C2 server addresses
Execution time limits (likely for anti-analysis)
Lists of API hashes, addresses, and names
Traffic keys and crypto parameters
By storing this configuration data alongside the compiled code, Earth Hundun maintains flexibility in deploying and updating Deuterbear for different targets while keeping core functionality intact.
Proof of Concepts (PoCs)
Waterbear PoC
Exploit Description: Waterbear leverages vulnerabilities such as CVE-2017-11882, a memory corruption vulnerability in Microsoft Office that allows remote code execution.
PoC Link: CVE-2017-11882 Exploit
Execution: Open the crafted malicious Office document to trigger the exploit and execute arbitrary code.
Deuterbear PoC
Exploit Description: Deuterbear employs advanced techniques, including a complex HTTPS communication protocol with its C2 servers.
PoC Link: None Publicly at this time
Execution: Set up a controlled environment to simulate Deuterbear's multi-step HTTPS communication with its C2 servers.