Welcome to the VB2021 conference!

Back to Black(Tech): an analysis of recent BlackTech operations and an open directory full of exploits

Sveva Vittoria Scenarelli (PwC) & Adam Prescott (PwC)
live only
18:15 UTC on Day 1
THURSDAY 07 OCTOBER
Little-discussed in open source, China-based threat actor BlackTech (which PwC tracks as Red Djinn) has a long history: from targeting Taiwan since at least 2010, to expanding its focus to Japan, and, more recently, the United States. Also known as the Phantom of Routers for its router exploitation capabilities, BlackTech has a peculiar characteristic: surprising defenders by changing and updating its toolset all the time, while also staying true to its core skillset. Since 2019, BlackTech has been on a development streak: introducing ELF variants of its main backdoors, minting new Remote Access tools, and – why not – adopting and potentially developing exploits.

Beyond a full timeline of BlackTech’s operations and how the threat actor has evolved, this presentation will offer a comprehensive view of the threat actor’s tools, techniques and procedures (TTPs), pre-, during, and post-initial intrusion. We will describe a full intrusion chain, from an email sent to a target, to malicious documents, to backdoors and dumping LSASS. And in doing so, we will introduce new malware families that we attribute uniquely to BlackTech, including a downloader that we call Flagpro.

This will lead us straight into a web of command-and-control infrastructure, and to an open directory: one which we assess was used by BlackTech in 2021 to stage multiple backdoors, post-intrusion utilities, as well as several folders of vulnerability scanners and tailored router exploits with comments still in the code. We will analyse these exploits, and discuss at a higher level what they reveal about BlackTech’s capabilities and scope of targeting… and how we link all of the above back to Black(Tech).
Sveva Vittoria Scenarelli
PwC

As a senior analyst in PwC’s Threat Intelligence team, Sveva focuses on tracking advanced persistent threats based in the Asia-Pacific region, connecting malicious campaigns across time, malware and infrastructure. Sveva has previously presented at Virus Bulletin 2020, at CONFidence Online 2020, and at CyberThreat 2019 on BlackTech. Although her colleagues joke that her threat intelligence reports can be as long as university dissertations, Sveva’s specialty is deep-diving into the activity of threat actors over time to highlight how they change techniques and targeting.

Adam Prescott
PwC

Adam is the lead reverse engineer in PwC's Threat Intelligence team. He focuses on C2 discovery by reverse engineering malicious communication protocols, and also malware archaeology – taking a malicious tool and tracing the development and usage of it back in time. In addition, Adam regularly publishes in-depth reports on complex malware families via PwC's Threat Intelligence subscription, including PwC's open-source research on WellMess in 2020. Previously, Adam spent over four years working for a UK government department focusing on vulnerability research of embedded systems.