Welcome to the VB2021 conference!

arrow left Back

Back to Black(Tech): an analysis of recent BlackTech operations and an open directory full of exploits

18:15 - 18:45 UTC Thu 7 Oct 2021
Sveva Vittoria Scenarelli (PwC) & Adam Prescott (PwC)
Little-discussed in open source, China-based threat actor BlackTech (which PwC tracks as Red Djinn) has a long history: from targeting Taiwan since at least 2010, to expanding its focus to Japan, and, more recently, the United States. Also known as the Phantom of Routers for its router exploitation capabilities, BlackTech has a peculiar characteristic: surprising defenders by changing and updating its toolset all the time, while also staying true to its core skillset. Since 2019, BlackTech has been on a development streak: introducing ELF variants of its main backdoors, minting new Remote Access tools, and – why not – adopting and potentially developing exploits.

Beyond a full timeline of BlackTech’s operations and how the threat actor has evolved, this presentation will offer a comprehensive view of the threat actor’s tools, techniques and procedures (TTPs), pre-, during, and post-initial intrusion. We will describe a full intrusion chain, from an email sent to a target, to malicious documents, to backdoors and dumping LSASS. And in doing so, we will introduce new malware families that we attribute uniquely to BlackTech, including a downloader that we call Flagpro.

This will lead us straight into a web of command-and-control infrastructure, and to an open directory: one which we assess was used by BlackTech in 2021 to stage multiple backdoors, post-intrusion utilities, as well as several folders of vulnerability scanners and tailored router exploits with comments still in the code. We will analyse these exploits, and discuss at a higher level what they reveal about BlackTech’s capabilities and scope of targeting… and how we link all of the above back to Black(Tech).
Sveva Vittoria Scenarelli

As a senior analyst in PwC’s Threat Intelligence team, Sveva focuses on tracking advanced persistent threats based in the Asia-Pacific region, connecting malicious campaigns across time, malware and infrastructure. Sveva has previously presented at Virus Bulletin 2020, at CONFidence Online 2020, and at CyberThreat 2019 on BlackTech. Although her colleagues joke that her threat intelligence reports can be as long as university dissertations, Sveva’s specialty is deep-diving into the activity of threat actors over time to highlight how they change techniques and targeting.

Adam Prescott

Adam is the lead reverse engineer in PwC's Threat Intelligence team. He focuses on C2 discovery by reverse engineering malicious communication protocols, and also malware archaeology – taking a malicious tool and tracing the development and usage of it back in time. In addition, Adam regularly publishes in-depth reports on complex malware families via PwC's Threat Intelligence subscription, including PwC's open-source research on WellMess in 2020. Previously, Adam spent over four years working for a UK government department focusing on vulnerability research of embedded systems.