Blackgear Cyberespionage Campaign Resurfaces, Abuses Social Media for C&C Communication
(Jul 17, 2018)
Trend Micro researchers have discovered new malicious activity associated to the cyberespionage group called “Blackgear” (also known as Topgear, Comnie). The group, whose activity dates back to at least 2008, is known to have targeted multiple countries in past campaigns such as Japan, South Korea, and Taiwan with a focus on public sector agencies, high-technology industries, and telecommunications companies. In recent campaigns attributed to Blackgear, the group has been deploying the “Marade” downloader and the “Protux” backdoor. Researchers found that Blackgear changed the Command and Control (C2) communication for said malware to use encrypted configurations on blog and social media posts rather than hardcoded inside the malware. This allows the group to change C2 infrastructure quickly in attempts to stay undetected. The malware was found to be delivered via spam emails that contain a malicious decoy document.
Recommendation: Malspam is a constant tactic used by threat actors who are consistently changing the themes of the messages to trick unsuspecting recipients. Anti-spam and antivirus application provided from trusted vendors should be employed in addition to educating your employees to identify such attempts.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.