Rewterz Threat Alert – APT21 aka BlackTech Targeting East Asian Countries – Active IOCs

January 4, 2022

Severity

High

Analysis Summary

Tracing back activities to 2010, BlackTech is a commercial cyberespionage group that targets including finance, government, education, and technology. Their main motive remains around gathering sensitive information and data including confidential documents for their financial gains. Their common methods are spear-phishing emails that target specific individuals and targeted organizations. Threat actor uses Trojan horses such as Plead, TSCookie, Gh0st, and Bifrose made for covert computer surveillance. With their ties linked to China, they have attacked more than 40 countries for their gains and continue to expand their operations towards other countries. Countries that are targeted by these threat actors are Hong Kong, India, Indonesia, Iran, Japan, Jordan, Kazakhstan, Kyrgyzstan.

Impact

Data exfiltration
Information theft and espionage

Indicators of Compromise

Domain Name

org[.]misecure[.]com
update[.]centosupdates[.]com

IP

45[.]76[.]184[.]227
45[.]32[.]23[.]140
139[.]162[.]87[.]180
107[.]191[.]61[.]40
172[.]104[.]109[.]217

MD5

287d612e29b71c90aa54947313810a25
11746ae92be83ba28b05272fe03780d6
8f7205aaf80ce4b5d0ee8f00369f301a
8904341c8d4f2c339775524f38bba304
8d3e29bd96352a306022393e94a7270b
fd695898fe6a205ccc86d920d8ec6a9b
1b39dcc5de43d2840d6992a561e34eec

SHA-256

54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b
e197c583f57e6c560b576278233e3ab050e38aa9424a5d95b172de66f9cfe970
655ca39beb2413803af099879401e6d634942a169d2f57eb30f96154a78b2ad5
840ce62f92fc519cd1a33b62f4b9f92a962b7fb28c12d2f607dec0b520e6a4b2
ba27ae12e6f3c2c87fd2478072dfa2747d368a507c69cd90b653c9e707254a1d
77680fb906476f0d84e15d5032f09108fdef8933bcad0b941c9f375fedd0b2c9
e81255ff6e0ed937603748c1442ce9d6588decf6922537037cf3f1a7369a8876

SHA-1

8f35a9e70dbec8f1904991773f394cd4f9a07f5e
7190a70241a58610a5f200daa253bc47b686a3d5
401d3336eb33cf82eecb5df5c2ac6d5f7f78aa26
f9990d6aebd55d6e7b4012a5fa07578218309efc
802e7e9bde53d254614268e4b78f03edb1db068d
f75a8b0e6af6a3447f1ea2f85089cfebaac7d936
abb567aadfbd5686b3fbed027dc297646e6bbf04

Remediation

Block all threat indicators at your respective controls.
Search for IOCs in your environment.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

DarkCrystal RAT aka DCRat – Active IOCs

SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, the Middle East, and Africa – Active IOCs

Strela Stealer Malware Targets Microsoft Outlook Users for Credential Theft – Active IOCs

Threat Insights

About Us

Our Leadership

CSR

Connect with Us