Home / Industry

Exploring BlackTech IoCs Reveals Hundreds of Artifacts in 2022

BlackTech, an APT group known for cyber espionage activities targeting Asia, was recently detected using a new malware called “FlagPro.” NTT Security named some indicators of compromise (IoC) related to the new campaign, including five IP addresses and two subdomains.

In the past, the group used the same command-and-control (C&C) servers and other IoCs for multiple campaigns. In line with that, WhoisXML API researchers collected current and past BlackTech IoCs to check for patterns and uncover related artifacts. Here is a summary of what we discovered, which we discuss in greater detail in the succeeding sections:

  • Five out of 15 IP addresses were actively connected to eight additional domain names
  • Six of the domains tagged as IoCs actively resolved to different IP addresses
  • More than 600 additional domains resolved to three of the six IP addresses
  • Two unredacted registrant email addresses from the WHOIS records of IoCs and artifacts had more than 40 additional connected domain names

Feel free to download the complete list of BlackTech IoCs, artifacts, and other data enrichment from our website.

Some IoCs Could Still Be Active

We gathered a total of 15 IP addresses and 22 domains and subdomains tagged as BlackTech IoCs, mostly from 2020 to 2021. These came from several sources, including NTT Security, Palo Alto, the Cybersecurity & Infrastructure Security Agency (CISA), and Taiwan News.

Five IP addresses had active domain connections, while six domains still resolved to different IP addresses. These seemingly active IoCs are listed in the table below.

BlackTech IP Addresses with Active Domain Connections as of 20 January 2022BlackTech Domains with Active IP resolutions as of 20 January 2022
103[.]193[.]149[.]26
139[.]162[.]87[.]180
172[.]104[.]109[.]217
211[.]72[.]242[.]120
43[.]240[.]12[.]81
cornerth[.]com
infonew[.]dubya[.]net
itaiwans[.]com
microsoftmse[.]com
osscach2023[.]hicloud[.]tw
tftpupdate[.]ftpserver[.]biz

In addition, some of the malicious IP addresses and subdomains haven’t been included in malware engines as of this writing despite being tagged as IoCs in the past two years. BlackTech or other threat actors can reuse these resources.

Hundreds of Additional Artifacts Uncovered

The possibly active IP addresses had eight domain connections, and at least one could be a virtual private network (VPN)—vpn152885425[.]softether[.]net. The root domain has an unredacted email address associated with 48 other domains.

On the other hand, the malicious domains in our original IoC list also yielded one unredacted email address associated with one more domain (hpcloudnews[.]com). We also subjected the domains’ active IP resolutions to Reverse IP Lookup, giving us more than 600 connected domains. These domains include suspicious ones, including variations of one IoC, cornerth[.]com—cornerth[.]com[.]tw and cornerth[.]tw.

We also found typosquatting domains, such as 0ffice36o[.]com, 0nedrive[.]agency, and 0utl00k[.]net, among many others. All connected domains and IP addresses can be found in our downloadable threat research materials.

The Anatomy of BlackTech IoCs

WHOIS and IP data enrichment for the IoCs revealed common characteristics that could prove relevant when investigating suspicious domains and IP addresses. These are detailed below.

Privacy Redaction of WHOIS Details

Unsurprisingly, the registrant details of most domains were redacted, except for one. We found a Gmail email address associated with hicloud[.]tw, the root domain of the IoC osscach2023[.]hicloud[.]tw. Most of the domains’ registrar was GoDaddy.

Cybersquatting Domains

A few of the domains appear to imitate Ruten, an Asian e-commerce company whose domains include ruten[.]com[.]tw and ruten[.]co[.]jp. Some examples of these IoCs are:

  • k3ad01[.]rutentw[.]com
  • web2008[.]rutentw[.]com
  • manage[.]lutengtw[.]com
  • dccpulic[.]lutengtw[.]com
  • dccpulic[.]lutentw[.]com

The malicious subdomains also tended to use generic strings to convey trustworthiness, such as “update,” “manage,” and “web.”

IP Geolocation

With the help of IP Geolocation API, we found that a majority of the malicious IP addresses were geolocated in Japan, Hong Kong, and Taiwan. On the other hand, the ISPs that repeatedly appeared were Cloudie Limited and Vultr Holdings, LLC.


BlackTech has been active for more than five years and continues to launch new campaigns. FlagPro is just the latest, and based on the group’s past activities, they could also be operating other attacks concurrently. Looking out for IoCs and artifacts can help map out their footprint, potentially enabling targeted organizations to evade malicious attacks.

If you are a threat researcher or cybersecurity professional interested in the BlackTech IoCs and artifacts presented in this study, please contact us to learn more about our cyber threat intelligence sources and possible research collaboration.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Commenting is not available in this channel entry.

Related

Topics

IPv4 Markets

Sponsored byIPXO

Domain Management

Sponsored byMarkMonitor

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API