On July 17th, new activity from the actors behind the Blackgear campaign has been reported by Trend Micro. The Blackgear campaign is an ongoing targeted attack against organizations mainly in Japan, South Korea, and Taiwan. It has been ongoing since at least 2008 when Protux, a malware used in the Blackgear camapaign, was discovered in spear phishing emails against Tibetan Activists. The campaign mainly consists of spear phishing for delivery and multiple stages of malware (binder, downloader, backdoor) for infection.
In the most recent Trend Micro report, the malware used by the threat actors behind Blackgear (Protux and Marade) advanced their methods of command and control by employing a way to download their configuration from posts on legitimate social media sites. In the Trend Micro article, screenshots were given where Facebook posts contained strings made out to be magnet links that actually contained the command and control data. The data was made out to be magnet links to avoid antivirus detection. Once the magnet link is downloaded, the malware decrypts the string to discover it’s command and control configuration.
Trend Micro also posted the command interface for the Protux malware that controls an infected host. In it, the tool appeared to have several capabilities that it could perform on the remote host including screen capture, shell access, and access the registry / process / service configuration of the system.
Trend Micro also gave details around sample phishing used in the attack chain. In it, at least one phish required a user to enable macros on an Excel file to perform infection via VBScript.
Proficio Threat Intelligence Recommendations:
- Train users not to enable any type of Microsoft Office Macros delivered in email attachments.
- Assess blocking well-known social networks that do not have business use to potentially reduce future channels of command and control.
- Make sure all systems have up to date endpoint security controls that will allow users to access email.
- In your Windows GPO (group policy), set the policy to disable running macros from files from the internet.