A new actor has emerged and is aggressively pursuing targets in East Asia. Dubbed BlackTech, the group has been connected to three separate campaigns in recent years by Trend Micro, who recorded the group's activities in a recent report.
BlackTech have developed a particular taste for IP and have most notably been pursuing private information and documents from its targets, which mostly revolve around government bodies.
The PLEAD campaign has been around since 2012, targeting Taiwanese government bodies as well as private organisations. The campaign commonly uses a scanner to find vulnerable routers, before entering that router's network by setting up a virtual server on the router and using it as a command and control server for their malware. PLEAD appears to be primarily interested in documents, for which it used the DRIGO tool to harvest. DRIGO ties documents to PLEAD-owned Gmail accounts which are used to retrieve the documents once stolen.
PLEAD has been using the Flash vulnerability (CVE-2015-5119) which was leaked when Italian cyber-mercenary group, Hacking Team was breached in 2015.
Shrouded Crossbow has been active since even earlier. Its activities were first noticed in 2010 and much like PLEAD has, according to the report, been seen targeting, “privatised agencies and government contractors as well as enterprises in the consumer electronics, computer, healthcare, and financial industries.” Researchers call the campaign “well resourced”, observing their use of the BIFROST backdoor which they have then modified and used to create other tools.
The third campaign, WaterBear, is notable for its use of modular malware. Not much is written on the group other than that it could be used as a secondary payload after access has already been gained into a target's systems.
A number of indicators point towards the source of these three campaigns. All three use similar servers, for example, are their tools and techniques.
The objectives too, bear a striking resemblance. These campaigns are obsessed with documents, at least superficially. Researchers noted that the campaigns would often then use stolen documents against other targets: “This indicates that document theft is most likely the first phase of an attack chain against a victim with ties to the intended target.”
The revelation that the three are likely one is no great surprise, according to Trend Micro. The report maintains that it is not uncommon for one group to have multiple teams running separate campaigns: “While most of the campaigns' attacks are conducted separately, we've seen apparently joint operations conducted in phases that entail the work of different teams at each point in the infection chain.”