The China-linked BlackTech cyber-spies have adopted new malicious tools in recent attacks, and they have started targeting the United States, Symantec security researchers revealed on Tuesday.
Also referred to as Palmerworm, the hacking group is believed to have been active since at least 2013. The campaign analyzed by Symantec ran from August 2019 until as recently as August 2020, and it targeted organizations in construction, electronics, engineering, media, and finance in Japan, Taiwan, the U.S., and China. The threat actor was previously known to target East Asia.
The recent attacks revealed the use of dual-use tools and a new suite of custom malware, including backdoors such as Consock, Waship, Dalwit, and Nomri. Previously, the threat actor was observed employing the backdoors known as Kivars and Plead (which Symantec refers to as Palmerworm).
“We have not observed the group using these malware families in previous attacks – they may be newly developed tools, or the evolution of older Palmerworm tools,” the security firm notes in a new report.
Despite the use of undocumented malware, other artefacts observed in these attacks, including the use of previously employed infrastructure, suggest that the BlackTech threat actor is behind them.
In addition to the new backdoors, the hackers leveraged a custom loader and a network reconnaissance tool, along with dual-use tools, such as Putty, PSExec, SNScan, and WinRAR.
Furthermore, the threat actor signed the payloads in these attacks with stolen code-signing certificates, a tactic it was observed employing before. While Symantec hasn’t identified the initial attack vector, the actor is known for the use of spear-phishing to access victim networks.
A total of five victims were identified in these attacks, including organizations in media, electronics, and finance based in Taiwan, an engineering company in Japan, and a construction company in China. Some U.S.-based companies were targeted as well, but they haven’t been identified.
The targeting of Taiwanese companies isn’t something new for BlackTech, which previously infiltrated government agencies in the country. Taipei said at the time that the group is operating out of China.
Although the first activity associated with the recent campaign started in August 2019, the attackers were able to maintain presence in the compromised networks for a long time: activity associated with the attack was observed on compromised machines within the media company’s network in August 2020.
“Palmerworm also maintained a presence on the networks of a construction and a finance company for several months. However, it spent only a couple of days on the network of a Japanese engineering company in September 2019, and a couple of weeks on the network of an electronics company in March 2020,” Symantec explains.
The security researchers are unsure what type of data the attackers might have exfiltrated from the compromised organizations, but believe that cyber-espionage might have been the purpose of the attacks.