Decade-old Blackgear cyberespionage campaign returns to exploit social media sites for C&C communication

The decade-old cyberespionage campaign Blackgear has reemerged to exploit social media and blog sites to establish its command-and-control (C&C) infrastructure. The campaign, also known as Topgear and Comnie, dates back to 2008 and targets public sector agencies, telecom firms and other high-technology industries in South Korea, Japan and Taiwan.

Blackgear's campaigns are set apart by its abuse of legitimate blogging and social media websites to hide its C&C configuration.

"Compared to when C&C information is embedded within the malware, where it’s preset and can thus be easily blocked, this tactic lets Blackgear’s operators to quickly change C&C servers as needed," researchers said in a blog post. "It can, in turn, prolong the campaign’s foothold in the system and enable attackers to carry out further lateral movement."

Modus Operandi

Trend Micro researchers said the campaign's latest operation involves the attackers sending victims spam emails that contain decoy documents or fake installer files for popular software like Adobe Flash Player. Once executed, the Marude downloader is dropped in the infected system's Temp folder. The downloader swells to over 50MB to bypass traditional sandbox solutions and performs a system check.

If the system can connect online and does not have AV software installed, Marude connects to a previously compromised, Blackgear-controlled blog or social media post to retrieve its encrypted C&C configuration. Alternatively, it simply relies on the C&C information embedded it its code.

"The encrypted strings will pose as a magnet link to keep its malicious traffic from being detected by AV software. Marade will then decrypt the encrypted strings and retrieve the C&C server information," researchers said.

Once the C&C information is decrypted, Marade then accesses the server to download version 3.7 of the Protux backdoor that is executed via a DLL file. Protux tests the host's network, retrieves its own C&C server from another blog and uses RSA-based encryption to generate a session key and communicate with its server.

New tricks and tools

Using Protux, the attackers can generate a list of system drivers, folders, processes, modules, threats, ports, services and registries. Protux's new remote controller also comes with a new user interface that gives hackers the ability to monitor send instructions to the compromised host as well as remotely control the Marade downloader in infected machines.

"Based on the controller's behavior, we can posit that both Marade and Protux were authored by the same threat actors," researchers said. "Each serves a specific role once in the system. Marade acts as the first stage of attack, sending the compromised system's information to the C&C server and then awaiting commands from the controller. This allows threat actors to monitor and check whether the affected system is of interest to them. If so, the attack moves to the second stage by deploying Protux."

"Blackgear has been targeting various industries since its emergence a decade ago," they concluded. "Its apparent staying power stems from the furtive ways with which its attacks can evade traditional security solutions."