Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

China-Linked ‘BlackTech’ Hackers Start Targeting U.S.

The China-linked BlackTech cyber-spies have adopted new malicious tools in recent attacks, and they have started targeting the United States, Symantec security researchers revealed on Tuesday.

The China-linked BlackTech cyber-spies have adopted new malicious tools in recent attacks, and they have started targeting the United States, Symantec security researchers revealed on Tuesday.

Also referred to as Palmerworm, the hacking group is believed to have been active since at least 2013. The campaign analyzed by Symantec ran from August 2019 until as recently as August 2020, and it targeted organizations in construction, electronics, engineering, media, and finance in Japan, Taiwan, the U.S., and China. The threat actor was previously known to target East Asia.

The recent attacks revealed the use of dual-use tools and a new suite of custom malware, including backdoors such as Consock, Waship, Dalwit, and Nomri. Previously, the threat actor was observed employing the backdoors known as Kivars and Plead (which Symantec refers to as Palmerworm).

“We have not observed the group using these malware families in previous attacks – they may be newly developed tools, or the evolution of older Palmerworm tools,” the security firm notes in a new report.

Despite the use of undocumented malware, other artefacts observed in these attacks, including the use of previously employed infrastructure, suggest that the BlackTech threat actor is behind them.

In addition to the new backdoors, the hackers leveraged a custom loader and a network reconnaissance tool, along with dual-use tools, such as Putty, PSExec, SNScan, and WinRAR.

Furthermore, the threat actor signed the payloads in these attacks with stolen code-signing certificates, a tactic it was observed employing before. While Symantec hasn’t identified the initial attack vector, the actor is known for the use of spear-phishing to access victim networks.

A total of five victims were identified in these attacks, including organizations in media, electronics, and finance based in Taiwan, an engineering company in Japan, and a construction company in China. Some U.S.-based companies were targeted as well, but they haven’t been identified.

Advertisement. Scroll to continue reading.

The targeting of Taiwanese companies isn’t something new for BlackTech, which previously infiltrated government agencies in the country. Taipei said at the time that the group is operating out of China.

Although the first activity associated with the recent campaign started in August 2019, the attackers were able to maintain presence in the compromised networks for a long time: activity associated with the attack was observed on compromised machines within the media company’s network in August 2020.

“Palmerworm also maintained a presence on the networks of a construction and a finance company for several months. However, it spent only a couple of days on the network of a Japanese engineering company in September 2019, and a couple of weeks on the network of an electronics company in March 2020,” Symantec explains.

The security researchers are unsure what type of data the attackers might have exfiltrated from the compromised organizations, but believe that cyber-espionage might have been the purpose of the attacks.

Related: Hackers Exploit ASUS Update Process to Install Backdoor

Related: Hackers Using Stolen D-Link Certificates for Malware Signing

Related: Thousands of Taiwan Government Email Accounts ‘Hacked by China’

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.