A cyberespionage group that has previously attacked targets in East Asian nations is now stealing digital signing certificates from D-Link and Taiwan-based Changing Information Technologies. The hacker group, BlackTech has been found using the stolen certificates to deploy its customized backdoor malware, as part of an espionage campaign.

The lesser-known BlackTech hacker group has been known to target East Asian nations, including Japan, Hong Kong and particularly Taiwan. According to security researchers at ESET, the group has been spotted signing their malware with the stolen digital certificates.

Why steal digital certificates?

According to ESET researchers, cybercriminals abuse digital certificates to mask their malicious activities. These certificates can be misused by hackers to make malware appear as legitimate, which in turn would raise a malware’s chance of sneaking past security measures.

Such a tool would be valuable to a cyberespionage gang like BlackTech, whose survival depends on remaining hidden.

Although the stolen digital certificates have been revoked by D-Link and Changing Information Technologies on July 4, BlackTech is still signing their malware with the stolen certificates.

In their latest campaign, Blacktech has been primarily focusing on Taiwanese entities, researchers said.

“The ability to compromise several Taiwan-based technology companies and reuse their code-signing certificates in future attacks shows that this group is highly skilled and focused on that region,” ESET researchers wrote in a blog.

Interestingly, the infamous Stuxnet worm, which was used to attack Iran’s critical infrastructure in 2010, also made use of digital certificates, stolen from Taiwanese companies RealTek and JMicron.

Brief history

The lesser-known BlackTech hacker group is known to target East Asian nations, including Japan, Hong Kong and particularly Taiwan. The group has targeted both private entities and government contractors in the past across several sectors, including, military, education, energy, manufacturing and more.

Unlike other active cyberespionage groups, BlackTech has not been linked to a specific nation. However, the group’s previous campaigns and its ability to obtain tools suggest it is extremely well-funded. The group’s primary goal appears to be covert intelligence gathering.

Modus operandi

According to ESET researchers, BlackTech used a customized data-stealing malware that has been extremely obsfucated with junk code. The malware is capable of stealing passwords from Google Chrome, Internet Explorer, Mozilla Firefox and Microsoft Outlook. In this campaign, the malware’s primary purpose is to drop BlackTech Plead backdoor malware.

The backdoor is capable of harvesting email and browser credentials, opening remote shell, opening and deleting targeted files and more.

BlackTech campaigns

BlackTech was found targeting victims in three separate campaigns called “Plead, Shrouded Crossbow and Waterbear”. While the Plead campaign was first discovered in 2012, the Shrouded Crossbow campaign is considered to have been launched in 2010. Meanwhile, the Waterbear campaign is considered to be an even older campaign.

According to a 2017 Trend Micro report, the tools, techniques and objectives of the three campaigns indicate that they were operated by the same well-funded group, likely split into teams, each running a specific campaign.

“It is not uncommon, for instance, for a group—especially a well-funded one—to split into teams and run multiple campaigns. While most of the campaigns’ attacks are conducted separately, we’ve seen apparently joint operations conducted in phases that entail the work of different teams at each point in the infection chain,” Trend Micro researchers said in their report.

“We also found incidents where the backdoors were used on the same targets. While it’s possible for separate groups to attack at the same time, we can construe at they are at least working together.”

Cyware Publisher