The trail left by a spate of cyberespionage campaigns has led Trend Micro researchers to believe a group dubbed BlackTech is behind the attacks.
The group operates against targets in East Asia focusing on Taiwan and occasionally Japan and Hong Kong with the goal of stealing technology, according to a June 22 blog post.
BlackTech was linked to the PLEAD information theft campaign, Shrouded Crossbow campaign which targeted privatized agencies and government contractors, and Waterbear which used malware capable of remotely equipping additional functions, based on their use of control and command severs, coordinated efforts, objectives, tools and techniques.
The group also uses what was described a novel right-to-left override (RTLO) technique to obfuscate the malware's filename.
The categories and labels of stolen documents targeted by the group include: Address book, Budget, Business, Contract, Culture, Defense, Education, Energy, Foreign affairs, Funding application, Human affairs, Internal affairs, Laws, Livelihood economy, Meeting, Official letter, Password list, Performance appraisal, Physical culture, Press release, Public security and Schedule.
“It is not uncommon, for instance, for a group—especially a well-funded one—to split into teams and run multiple campaigns,” the post said. “While most of the campaigns' attacks are conducted separately, we've seen apparently joint operations conducted in phases that entail the work of different teams at each point in the infection chain.”
Researchers told SC Media its noteworthy that the cybercriminal continue to invest in malware to avoid detection and defenses signaling that these campaigns are meeting the criminal's goals and that they are seeing successful results.
“The campaigns continue to leverage new exploit techniques in order to stay relevant,” Trend Micro Vice President of Cloud Research Mark Nunnikhoven said. “As systems are patched and the campaigns effectiveness is impacted, the criminals are moving to more effective techniques in order to continue to be impactful.”
Nunnikhoven said there are still a lot of unanswered questions concerning the group's use of malware that may only be answered if the threat actors are prosecuted.