Security experts at Trend Micro have observed an evolving cyberespionage campaign named Blackgear that abuses social media for command and control communications. Blackgear dates back to 2008 and previously targets mainly public sector agencies, telecom and high tech industries in Japan, South Korea and Taiwan.
Trend Micro describes the latest on the Blackgear campaign in the report:
“A notable characteristic of Blackgear is the degree to which its attacks are taken to evade detection, abusing blogging, microblogging, and social media services to hide its command-and-control (C&C) configuration. Compared to when C&C information is embedded within the malware, where it’s preset and can thus be easily blocked, this tactic lets Blackgear’s operators to quickly change C&C servers as needed. It can, in turn, prolong the campaign’s foothold in the system and enable attackers to carry out further lateral movement.”
The report also includes details on the Marade downloader and Protux remote controller tool. The actors also use encrypted configurations on blog and social media posts in the latest campaign.