|
BlackTech, an APT group known for cyber espionage activities targeting Asia, was recently detected using a new malware called “FlagPro.” NTT Security named some indicators of compromise (IoC) related to the new campaign, including five IP addresses and two subdomains.
In the past, the group used the same command-and-control (C&C) servers and other IoCs for multiple campaigns. In line with that, WhoisXML API researchers collected current and past BlackTech IoCs to check for patterns and uncover related artifacts. Here is a summary of what we discovered, which we discuss in greater detail in the succeeding sections:
Feel free to download the complete list of BlackTech IoCs, artifacts, and other data enrichment from our website.
We gathered a total of 15 IP addresses and 22 domains and subdomains tagged as BlackTech IoCs, mostly from 2020 to 2021. These came from several sources, including NTT Security, Palo Alto, the Cybersecurity & Infrastructure Security Agency (CISA), and Taiwan News.
Five IP addresses had active domain connections, while six domains still resolved to different IP addresses. These seemingly active IoCs are listed in the table below.
BlackTech IP Addresses with Active Domain Connections as of 20 January 2022 | BlackTech Domains with Active IP resolutions as of 20 January 2022 |
---|---|
103[.]193[.]149[.]26 139[.]162[.]87[.]180 172[.]104[.]109[.]217 211[.]72[.]242[.]120 43[.]240[.]12[.]81 | cornerth[.]com infonew[.]dubya[.]net itaiwans[.]com microsoftmse[.]com osscach2023[.]hicloud[.]tw tftpupdate[.]ftpserver[.]biz |
In addition, some of the malicious IP addresses and subdomains haven’t been included in malware engines as of this writing despite being tagged as IoCs in the past two years. BlackTech or other threat actors can reuse these resources.
The possibly active IP addresses had eight domain connections, and at least one could be a virtual private network (VPN)—vpn152885425[.]softether[.]net. The root domain has an unredacted email address associated with 48 other domains.
On the other hand, the malicious domains in our original IoC list also yielded one unredacted email address associated with one more domain (hpcloudnews[.]com). We also subjected the domains’ active IP resolutions to Reverse IP Lookup, giving us more than 600 connected domains. These domains include suspicious ones, including variations of one IoC, cornerth[.]com—cornerth[.]com[.]tw and cornerth[.]tw.
We also found typosquatting domains, such as 0ffice36o[.]com, 0nedrive[.]agency, and 0utl00k[.]net, among many others. All connected domains and IP addresses can be found in our downloadable threat research materials.
WHOIS and IP data enrichment for the IoCs revealed common characteristics that could prove relevant when investigating suspicious domains and IP addresses. These are detailed below.
Unsurprisingly, the registrant details of most domains were redacted, except for one. We found a Gmail email address associated with hicloud[.]tw, the root domain of the IoC osscach2023[.]hicloud[.]tw. Most of the domains’ registrar was GoDaddy.
A few of the domains appear to imitate Ruten, an Asian e-commerce company whose domains include ruten[.]com[.]tw and ruten[.]co[.]jp. Some examples of these IoCs are:
The malicious subdomains also tended to use generic strings to convey trustworthiness, such as “update,” “manage,” and “web.”
With the help of IP Geolocation API, we found that a majority of the malicious IP addresses were geolocated in Japan, Hong Kong, and Taiwan. On the other hand, the ISPs that repeatedly appeared were Cloudie Limited and Vultr Holdings, LLC.
BlackTech has been active for more than five years and continues to launch new campaigns. FlagPro is just the latest, and based on the group’s past activities, they could also be operating other attacks concurrently. Looking out for IoCs and artifacts can help map out their footprint, potentially enabling targeted organizations to evade malicious attacks.
If you are a threat researcher or cybersecurity professional interested in the BlackTech IoCs and artifacts presented in this study, please contact us to learn more about our cyber threat intelligence sources and possible research collaboration.
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byRadix
Sponsored byDNIB.com