A state-sponsored espionage group, known as Palmerworm (aka BlackTech) has been observed expanding its campaigns to focus on a more geographically diverse set of targets in their quest to steal information.

What is happening?

Palmerworm has been creeping around the victims’ networks for almost a year, targeting organizations worldwide.
  • The group has been using a combination of the brand new suite of custom malware (Consock, Waship, Dalwit, and Nomri), as well as some already known malware (Kivars and Pled).
  • In addition, the group also uses dual-use tools (Putty, PSExec, SNScan, and WinRAR), a custom loader, and a network reconnaissance tool (Hacktool).
  • Besides using living-off-the-land tactics, they have been using stolen code signing certificates to sign its payloads, to make the payloads appear more legitimate.

Palmerworm’s expansion

  • Besides identifying Palmerworm’s activities in multiple South-Asian countries, such as Japan, Taiwan, and China, the researchers have also spotted some victims in the U.S. for the first time.
  • The group is actively targeting organizations in the finance, media, engineering, electronics, and construction sectors.

Last seen

In August, Palmerworm had attacked at least ten Taiwanese government agencies and infiltrated some 6,000 email accounts of government officials to steal sensitive data. For these attacks, Taiwanese officials believe that the hacking group is backed by the Chinese Communist Party.

The bottom line

Palmerworm APT has spent several months hidden inside company networks. Their use of dual-use tools and living-off-the-land tactics makes their activity very hard to detect. Such TTPs underline the need for organizations to have a multi-layered cyber defense in place that can detect this kind of activity.

Cyware Publisher