ATTACKER: Actors Behind Blackgear Campaign Update C2 Methods

Who or What is Blackgear?

Blackgear, also known as Topgear and Comnie, is a cyberespionage campaign that has been active since at least 2008. It primarily targets organizations within Japan, South Korea, and Taiwan, focusing on sectors like public administration and high-technology industries. Blackgear is known for its sophisticated use of malware tools, such as the Protux backdoor and the Marade downloader, to infiltrate networks and evade detection.

This campaign uses social media, blogging, and microblogging services to conceal its command-and-control (C&C) configurations. This method allows for quick changes to C&C servers, helping to maintain the attacks and facilitating lateral movements within compromised systems. Blackgear’s techniques include using decoy documents or fake installer files distributed via email, which then deploy further malware to execute its espionage activities.

Blackgear’s Protux Malware Campaign

On July 17th, new activity from the actors behind the Blackgear campaign has been reported by Trend Micro. The Blackgear campaign is an ongoing targeted attack against organizations mainly in Japan, South Korea, and Taiwan. It has been ongoing since at least 2008 when Protux, a malware used in the Blackgear camapaign, was discovered in spear phishing emails against Tibetan Activists. The campaign mainly consists of spear phishing for delivery and multiple stages of malware (binder, downloader, backdoor) for infection.

In the most recent Trend Micro report, the malware used by the threat actors behind Blackgear (Protux and Marade) advanced their methods of command and control by employing a way to download their configuration from posts on legitimate social media sites. In the Trend Micro article, screenshots were given where Facebook posts contained strings made out to be magnet links that actually contained the command and control data. The data was made out to be magnet links to avoid antivirus detection. Once the magnet link is downloaded, the malware decrypts the string to discover it’s command and control configuration.

Trend Micro also posted the command interface for the Protux malware that controls an infected host. In it, the tool appeared to have several capabilities that it could perform on the remote host including screen capture, shell access, and access the registry / process / service configuration of the system.

Trend Micro also gave details around sample phishing used in the attack chain. In it, at least one phish required a user to enable macros on an Excel file to perform infection via VBScript.

Proficio Threat Intelligence Recommendations:

  • Train users not to enable any type of Microsoft Office Macros delivered in email attachments.
  • Assess blocking well-known social networks that do not have business use to potentially reduce future channels of command and control.
  • Make sure all systems have up to date endpoint security controls that will allow users to access email.
  • In your Windows GPO (group policy), set the policy to disable running macros from files from the internet.

If you are in need of an endpoint security system, please contact us today.

Recent Blog Posts

Stay Ahead of Evolving Threats

Sign up for our free newsletter and receive invaluable threat notifications from our Threat Intelligence team.

By submitting this form, you agree to the Proficio Website Terms of Use and the Proficio Privacy Policy.


Experience Tomorrow’s
Security Today

Request a Demo and Experience Proficio's
Innovative Solutions in Action.

By submitting this form, you agree to the Proficio Website Terms of Use and the Proficio Privacy Policy.