Delaware, USA – July 19, 2018 – Blackgear cyber espionage campaign has been conducted for 8 years, targeting organizations in Japan, South Korea and Taiwan. Attackers are interested in telecommunications and other high-tech industries. Researchers from Trend Micro recently discovered changes in the malware used in this campaign, as well as some new features. The main changes are in the method of obtaining command and control servers addresses: now for these purposes, cybercriminals use blogs and social networks. This allows them to replace the addresses of the servers during the campaign in case of detection and blocking of the primary infrastructure. Attackers send targeted emails with an executable or document attached. After executing of the attachment, the Marade dropper self-extracts to the Temp directory and increases its size to 50MB deceiving sandboxes. Then the dropper checks the connection to the Internet and the presence of certain antiviruses. If Marade does not detect the antivirus and the system has access to the Internet, malware connects to the attacker’s blog and receives the encrypted address of the C&C server without raising suspicion. Otherwise, Marade uses hardcoded addresses. Then the backdoor Protux is downloaded and installed from the server and it connects to another blog to receive information about the next C&C server. Updated Protux now has a user interface that allows adversaries to monitor activities on the infected system and execute commands in real time.
Both Marade and Protux are not cross-platform malware and are designed to infect systems running Microsoft Windows. The attackers behind the Blackgear cyberespionage campaign do not use zero-day vulnerabilities, so installing and timely updating of anti-virus solutions should prevent the effective use of such malware. Also, to detect targeted attacks on the organization, you can use Windows Security Monitor SIEM use case, which profiles security events and can identify suspicious patterns.