The threat actor behind the Blackgear cyber-espionage campaign that is targeting Japanese entities is the same that hit Taiwan in 2012.
According to security experts from Trend Micro, Japanese organizations were targeted in an espionage campaign dubbed Blackgear.
Attackers behind the Blackgear appear to be the same that targeted users in Taiwan in 2012, they used a well-known strain of malware detected by many security firms as Elirks.
The attack vectors are spear phishing emails or compromised websites used to serve the malware in watering hole attack. The websites used in the watering hole attacks were used to download a malicious code that drops decoy documents and the downloaders used to fetch the backdoors used by the group (i.e. Elirks and Ymalr).
The researchers noticed that the both Elirks and Ymalr used as command and control (C&C) infrastructure blogging services in order to make harder their detection and , allowing the attackers to keep the location of the actual C&C server hidden and easily change the server that is in use.
“BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years. Multiple papers and talks have been released covering this campaign, which used the ELIRKS backdoor when it was first discovered in 2012. It is known for taking using blogs and microblogging services to hide the location of its actual command-and-control (C&C) servers. This allows an attacker to change the C&C server used quickly by changing the information in these posts.” read the blog post published by TrendMicro.
“Like most campaigns, BLACKGEAR has evolved over time. Our research indicates that it has started targeting Japanese users. “
The researchers speculate the BLACKGEAR has evolved over time and threat actors behind the espionage campaign now moved to Japan. The decoy documents used in the attacks are now in Japanese and the blogging services used as part of the C&C infrastructure are based in Japan.
The experts from PaloAlto Network arrived at the same conclusion after they noticed some cyber attacks against organizations in Japan this summer that presented many similarities with attacks against targets in Taiwan.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.