Threat Research

Blackfly: Espionage Group Targets Materials Technology

Securonix

Blackfly (also known as APT41, Winnti Group, Bronze Atlas) continues targeting Asia, focusing on the materials and composites sector and hitting two subsidiaries of an Asian conglomerate to steal intellectual property. Researchers detail a late-2022 to early-2023 toolset, including Backdoor.Winnkit and a range of credential, screenshotting, and proxy tools, that supports ongoing espionage activity. hashtags: #Blackfly #APT41 #WinntiGroup #BronzeAtlas #Backdoor.Winnkit #Mimikatz #ProxyConfigurationTool #ForkPlayground

Keypoints

  • Blackfly targets Asia and appears to be pursuing intellectual property theft in the materials and composites sector, including attacks on two subsidiaries of a regional conglomerate.
  • The current toolset (late 2022–early 2023) includes Backdoor.Winnkit and a suite of credential, screenshotting, and proxy utilities, with multiple SHA-256 hashes listed for several tools.
  • Credential dumping is performed via a tool that dumps from lsass.exe to C:WindowsTemp1.bin, and Mimikatz is mentioned as a publicly available credential-dumping tool.
  • Screenshotting captures all open windows and saves them as .jpg files, enabling visible reconnaissance of the victim environment.
  • Process hollowing is used to inject shellcode into svchost.exe to display a Hello World alert, illustrating defense-evasion and process-injection techniques.
  • Proxy configuration tools modify system proxy settings by injecting into svchost.exe, with a conf.dat file required by one tool to configure proxies.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – Used as a backdoor suite; “The following tools were used in attacks during late 2022 and early 2023: Backdoor.Winnkit … SHA256: caba1085791d13172b1bb5aca25616010349ecce17564a00cb1d89c7158d6459” and related hashes.
  • [T1003] Credential Dumping – “Creates a dump of credentials from lsass.exe in C:windowstemp1.bin.”
  • [T1113] Screen Capture – “Screenshots all open windows and saves them as .jpg files.”
  • [T1055] Process Injection – “Injects shellcode in C:Windowssystem32svchost.exe -k LocalSystemNetworkRestricted. The shellcode is a simple ‘Hello World’ alert message.”
  • [T1059] SQL – “SQL client tool used to query SQL databases.”
  • [T1003] Credential Dumping – Mimikatz – “Publicly available credential-dumping tool.”
  • [T1005] Data from Local System – ForkPlayground – “Proof-of-Concept application to create a memory dump of an arbitrary process using the ForkLib.”
  • [T1090] Proxy – Proxy configuration tool – “Configures proxy settings by injecting into: C:Windowssystem32svchost.exe -k LocalSystemNetworkRestricted.”
  • [T1090] Proxy – Proxy configuration tool – “This tool requires a file called conf.dat to run properly, located at: c:userspublicconf.dat. Conf.dat contains the configuration to set up proxy settings.”
  • [T1014] Rootkit – Rootkit driver known to be associated with Blackfly – “Rootkit driver known to be associated with Blackfly.”
  • [T1003.006] Credential Dumping (DCSync) – “560ea79a96dc4f459e96df379b00b59828639b02bd7a7a9964b06d04cb43a35a – DCSync.”

Indicators of Compromise

  • [File hash] Backdoor.Winnkit – caba1085791d13172b1bb5aca25616010349ecce17564a00cb1d89c7158d6459, cf6bcd3a62720f0e26e1880fe7ac9ca6c62f7f05f1f68b8fe59a4eb47377880a, e1e0b887b68307ed192d393e886d8b982e4a2fd232ee13c2f20cd05f91358596, a3078d0c4c564f5efb1460e7d341981282f637d38048501221125756bc740aac, 714cef77c92b1d909972580ec7602b0914f30e32c09a5e8cb9cb4d32aa2a2196, 192ef0dee8df73eec9ee617abe4b0104799f9543a22a41e28d4d44c3ad713284
  • [File path] Credential-dumping – C:WindowsTemp1.bin
  • [File hash] Credential-dumping tool – 100cad54c1f54126b9d37eb8c9e426cb609fc0eda0e9a241c2c9fd5a3a01ad6c
  • [File hash] Screenshotting tool – 452d08d420a8d564ff5df6f6a91521887f8b9141d96c77a423ac7fc9c28e07e4
  • [File hash] Process-hollowing tool – 1cc838896fbaf7c1996198309fbf273c058b796cd2ac1ba7a46bee6df606900e
  • [File hash] SQL tool – 4ae2cb9454077300151e701e6ac4e4d26dc72227135651e02437902ac05aa80d
  • [File hash] Mimikatz – b28456a0252f4cd308dfb84eeaa14b713d86ba30c4b9ca8d87ba3e592fd27f1c
  • [File hash] ForkPlayground – a3acb9f79647f813671c1a21097a51836b0b95397ebc9cd178bc806e1773c864
  • [File hash] Proxy configuration tool – 5e51bdf067e5781d2868d97e7608187d2fec423856dbc883c6f81a9746e99b9f, d4e1f09cb7b9b03b4779c87f2a10d379f1dd010a9686d221c3a9f45bda5655ee, f138d785d494b8ff12d4a57db94958131f61c76d5d2c4d387b343a213b29d18f
  • [File hash] Proxy configuration tool – 88113bebc49d40c0aa1f1f0b10a7e6e71e4ed3ae595362451bd9dcebcf7f8bf4, 498e8d231f97c037909662764397e02f67d0ee16b4f6744cf923f4de3b522bc1
  • [File name] Conf.dat – c:userspublicconf.dat
  • [Process] svchost.exe – C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted

Read more: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackfly-espionage-materials

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint