Request A Demo
  • Blog Post

ATTACKER: Actors Behind Blackgear Campaign Update C2 Methods

On July 17th, new activity from the actors behind the Blackgear campaign has been reported by Trend Micro. The Blackgear campaign is an ongoing targeted attack against organizations mainly in Japan, South Korea, and Taiwan. It has been ongoing since at least 2008 when Protux, a malware used in the Blackgear camapaign, was discovered in spear phishing emails against Tibetan Activists. The campaign mainly consists of spear phishing for delivery and multiple stages of malware (binder, downloader, backdoor) for infection.

In the most recent Trend Micro report, the malware used by the threat actors behind Blackgear (Protux and Marade) advanced their methods of command and control by employing a way to download their configuration from posts on legitimate social media sites. In the Trend Micro article, screenshots were given where Facebook posts contained strings made out to be magnet links that actually contained the command and control data. The data was made out to be magnet links to avoid antivirus detection. Once the magnet link is downloaded, the malware decrypts the string to discover it’s command and control configuration.

Trend Micro also posted the command interface for the Protux malware that controls an infected host. In it, the tool appeared to have several capabilities that it could perform on the remote host including screen capture, shell access, and access the registry / process / service configuration of the system.

Trend Micro also gave details around sample phishing used in the attack chain. In it, at least one phish required a user to enable macros on an Excel file to perform infection via VBScript.

Proficio Threat Intelligence Recommendations:

  • Train users not to enable any type of Microsoft Office Macros delivered in email attachments.
  • Assess blocking well-known social networks that do not have business use to potentially reduce future channels of command and control.
  • Make sure all systems have up to date endpoint security controls that will allow users to access email.
  • In your Windows GPO (group policy), set the policy to disable running macros from files from the internet.


Trend Micro latest entry on Blackgear Campaign – Click Here

Recent Blog Posts

Stay Ahead of Evolving Threats

Signup for our free newsletter and receive invaluable threat notifications from our Threat Intelligence team.

By submitting this form, you agree to the Proficio Website Terms of Use and the Proficio Privacy Policy.

REQUEST A DEMO

Experience Tomorrow’s
Security Today

Request a Demo and Experience Proficio's
Innovative Solutions in Action.

By submitting this form, you agree to the Proficio Website Terms of Use and the Proficio Privacy Policy.

North America

+1.800.779.5042
info@proficio.com

APAC

+65.6996.9185

EMEA

+34.937.370.358

Services

ProSOC MDR
Risk Based Vulnerability Management
Cyber Exposure Monitoring
Active Defense Response
View All Services

Partners

Partner Login
Channel Partners
Technology Partners
MSP Partners
Become A Partner

Stay Ahead of Evolving Threats

Signup for our free newsletter and receive invaluable threat notifications from our Threat Intelligence team


By submitting this form, you agree to the Proficio Website Terms of Use and the Proficio Privacy Policy.

Solutions

24/7 Security Operations
Accelerate Your SIEM Deployment
Identify Targeted Attacks
Mitigate Threats to Prevent Breaches
Improve MTTD & Reduce False Positives
Protect Your Identities
Protect Your Endpoints

 

Protect Your Cloud 
Protect Your Network
Meet Cyber Insurance Requirements
Enhance Reporting & Business Intelligence
Compliance Assurance

Resources

Resource Center
Guides
Case Studies
Reports 
Datasheets
Videos
Webinars
White Paper

Company

About Us
Leadership
Awards
Blog
Press Releases
News
Events
Careers
Contact Us

© 2024 Proficio. All Rights Reserved. Privacy Notice & Cookie Policy | Terms of Use