Blackgear is a previously detected cyber espionage campaign that dates back to 2008. The malware has been known to target organizations in Japan, South Korea and Taiwan, with the targets primarily being public sector agencies and high-tech companies.
According to Trend Micro reports from 2016, the malware campaigns were aimed at Japanese organizations where various malware tools were deployed, such as the Elirks Backdoor. The continuous attacks and persistence of Blackgear campaigns point that the cybercriminal operators are well-organized have developed their own tools which are periodically updated and “fine-tuned” as noted in a recent cybersecurity report.
Blackgear Malicious Characteristics
“A notable characteristic of Blackgear is the degree to which its attacks are taken to evade detection, abusing blogging, microblogging, and social media services to hide its command-and-control (C&C) configuration“, Trend Micro said. This technique, which is different than the usual practice of embedding the command and control details within the malware helps the malicious operators to quickly change their C&C servers whenever it is needed. This clever tactic enables the criminals to run their campaigns for as long as they wish.
Apparently, Blackgear has been using the Marade downloader together with a version of Protux in its latest operations. While analyzing these malicious samples, the researchers found their encrypted configurations on blog and social media posts which may be an indication that the malware tools were crafted by the same cybercrime gang.
To better understand the workings of the most recent Blackgear attacks researchers correlated the tools and practices the criminals used against their targets. Here is how the attack chain of Blackgear goes around:
- The attackers use a decoy document or fake installer file, which is spread via spam email to trick a potential victim into interacting with its malicious contents.
- The decoy document is set to extract the Marade downloader which drops itself in the machine’s Temp folder, increasing its file size to over 50MB and bypassing traditional sandbox solutions.
- Then Marade checks whether the infected host can connect to the internet and if it is installed with an anti-virus program.
- In case the affected host can connect to the internet and doesn’t have any AV protection, Marade proceeds by connecting to a Blackgear-controlled public blog (or social media post) to retrace an encrypted command and control configuration. In case there is no internet connection, the malware will use the C&C details embedded in its code.
- The encrypted strings serve as a magnet link to keep its malicious traffic from being detected by AV programs. Then, Marade will decrypt the encrypted strings and retrieve the C&C server information.
- The next step is the deployment of the Protux backdoor. The C&C server will send Protux to the affected machine and will execute it. Protux is executed by abusing the rundll32 dynamic-link library (DLL). It tests the host’s network, retrieves the C&C server from another blog, and uses the RSA algorithm to generate the session key and send information to the C&C server, the researchers explained.
- Finally, Blackgear’s malware tools are delivered to targeted systems via RAR self-extracting executable (SFX) files or office Visual Basic Script (VBScript) to create a decoy document.
The Scope of Blackgear Campaigns
Blackgear has been active for at least a decade, targeting various industries in covert attacks. The power of the malware seems to stem from the way it can evade traditional security software. One such technique is the deployment of two stages of infection for every attack.
Because the first stage involves only profiling and reconnaissance, it is very possible that the target may not be able to notice the intrusions. There may be no signs of intrusion even after the backdoor is successfully dropped onto the targeted system as the Blackgear authors use microblogging and social media services to retrieve C&C information.
According to the researchers, Blackgear’s attacks exemplify the need for organizations to develop and implement security strategies that can proactively respond to threats and cybercrime. One such strategy includes a threat hunting strategy, where indicators of attack can be easily validated to determine if the intrusions are one-off attempts or part of a larger campaign.