# Blacktech, CIRCUIT PANDA, Earth Hundun, G0098, HUAPI, Manga Taurus, Palmerworm, Red Djinn, T-APT-03, Temp.Overboard

## software
Flagpro
Kivars
PLEAD
PsExec
TSCookie
Waterbear




[1]
```
28ca0c218e14041b9f32a0b9a17d6ee5804e4ff52e9ef228a1f0f8b00ba24c11
3277e3f370319f667170fc7333fc5e081a0a87cb85b928219b3b3caf7f1e549c
35bd3c96abbf9e4da9f7a4433d72f90bfe230e3e897a7aaf6f3d54e9ff66a05a
485d5af4ad86e9241abd824df7b3f7d658b1b77c7dcc3c9b74bfe1ddc074c87d
4c05ee584530fd9622b9e3be555c9132fad961848ea215ecb0dd9430df7e4ed8
50ba9a2235b9b67e16e6bd26ae042a958d065eb2c5273f07eee20ec86c58a653
5818bfe75d73a92eb775fae3b876086a9e70e1e677b7c162b49fb8c1cc996788
5a35672f293f8f586fa9cfac0b09c2c52a85d4e8bc77b1ed4d7c16c58fe97a81
69d60562a8d69500e8cb47a48293894385743716e2214fd4e81682ab6ed1c46b
6d40c289a154142cdd5298e345bcea30b13f26b9eddfe2d9634e71e1fb935fbe
6f97022782d63c6cea53ad151c5b7e764e62533d8257e439033c0307437bfb2a
73799d67d32a2b5554c39330e81e7c8069feaa56520e22a7fd0a52e8857c510c
81a4b84700b5f4770b11a5fe30a8df42e5579fd622fd54143b3d2578df4b559d
884cefccd5b3c3a219a176c0c614834b5b6676abbac1d1c98f39624fccc71bf9
8cd6dfffc251f9571f7a82cca2eca09914c950f3b96aaaeaeaaeeac342f9b550
8da532ea294cc2c99e02ce8513a15b108a7c49bd90f7001ce6148955304733cb
9c436db49b27bed20b42157b50d8bdad414b12f01e2127718250565017a08d84
9e3ecda0f8e23116e1e8f2853cf07837dd5bc0e2e4a70d927b37cfe4f6e69431
a7f3b8afb963528b4821b6151d259cf05ae970bc4400b805f7713bd8a0902a42
aa51b69d05741144d139b422c3b90fdf6d7d5a36dd6c7090c226a0fc155ada34
b32ab70f3f441a775771d6c824d4526715460c0fd72a1dfdec8cd531aef5fabd
d4d5c73c40f50cdef1500fca8329bc8f3f05f6e2ffda9c8feb9be1dcca6ccd31
eed2ab9f2c09e47c7689204ad7f91e5aef3cb25a41ea524004a48bb7dc59f969
f11e2146b4b7da69112f4681daca0c5ec18917acc4cf4f78d8bff7ac0b53e15c
f21601686a2af1a312e0f99effa2c2755f872b693534dbe14f034fa23587ac0b
asiainfo.hpcloudnews.com
loop.microsoftmse.com
103.40.112.228
172.104.92.110
45.76.218.116
45.77.181.203
```


[2]
```
CVE-2015-5119, patched by Adobe last July, 2015
CVE-2012-0158, patched by Microsoft last April, 2012
CVE-2014-6352, patched by Microsoft last October, 2014
CVE-2017-0199, patched by Microsoft last April, 2017

itaiwans[.]com
microsoftmse[.]com
211[.]72[.]242[.]120
```




[3]
```
649675baef92381ffcdfa42e8959015e83c1ab1c7bbfd64635ce5f6f65efd651	BKDR_WATERBEAR.ZTGF
3909e837f3a96736947e387a84bb57e57974db9b77fb1d8fa5d808a89f9a401b	TROJ_WATERBEAR.ZTGD
fcfdd079b5861c0192e559c80e8f393b16ba419186066a21aab0294327ea9e58	TROJ_WATERBEAR.ZTGJ
3f26a971e393d7f6ce7bf4416abdbfa1def843a0cf74d8b7bb841ca90f5c9ed9	TROJ_WATERBEAR.ZTGH
abb91dfd95d11a232375d6b5cdf94b0f7afb9683fb7af3e50bcecdb2bd6cb035	TROJ_WATERBEAR.ZTGH
bda6812c3bbba3c885584d234be353b0a2d1b1cbd29161deab0ef8814ac1e8e1	TROJ_WATERBEAR.ZTGI
53402b662679f0bfd08de3abb064930af40ff6c9ec95469ce8489f65796e36c3	TROJ_WATERBEAR.ZTGH
f9f6bc637f59ef843bc939cb6be5000da5b9277b972904bf84586ea0a17a6000	TROJ_WATERBEAR.ZTGI
3442c076c8824d5da065616063a6520ee1d9385d327779b5465292ac978dec26	BKDR_WATERBEAR.ZTGD
7858171120792e5c98cfa75ccde7cba49e62a2aeb32ed62322aae0a80a50f1ea	TROJ64_WATERBEAR.ZTGI
acb2abc7fb44c2fdea0b65706d1e8b4c0bfb20e4bd4dcee5b95b346a60c6bd31	BKDR_WATERBEARENC.ZTGF
b9f3a3b9452a396c3ba0ce4a644dd2b7f494905e820e7b1c6dca2fdcce069361	BKDR64_WATERBEAR.ZTGD
7c0d2782a33debb65b488893705e71a001ea06c4eb4fe88571639ed71ac85cdd	BKDR_WATERBEARENC.ZTGH
c7c7b2270767aaa2d66018894a7425ba6192730b4fe2130d290cd46af5cc0b7b	BKDR_WATERBEARENC.ZTGI
7532fe7a16ba1db4d5e8d47de04b292d94882920cb672e89a48d07e77ddd0138	BKDR_WATERBEARENC.ZTGI
dea5c564c9d961ccf2ed535139fbfca4f1727373504f2972ac92acfaf21da831	BKDR_WATERBEARENC.ZTGI
05d0ab2fbeb7e0ba7547afb013d307d32588704daac9c12002a690e5c1cde3a4	BKDR64_WATERBEARENC.ZTGJ
39668008deb49a9b9a033fd01e0ea7c5243ad958afd82f79c1665fb73c7cfadf	BKDR_WATERBEARENC.ZTGD
```


[4] - some tweet
```
59.125.119[.]202
apple[.]wikaba[.]com
```


[5]
```
139.180.201.6
108.160.138.235
108.160.132.108
naaakkk.wikaba.com
ntstore.hosthampster.com
blog.mysecuritycamera.com
139.162.112.74

9603b62268c2bbb06da5c99572c3dc2ec988c49c86db2abc391acf53c1cccceb
cb1a536e11ae1000c1b29233544377263732ca67cd679f3f6b20016fbd429817
3d18bb8b9a5af20ab10441c8cd40feff0aabdd3f4c669ad40111e3aa5e8c54b8
```





[6]
```
638cfbe609d7f3e88767133be5ea5f9a75f1d703275f38eb9ec2414e179483b9
220[.]135[.]71[.]92:443 C2
```


[7]
```
mx[.]msdtc.tw
3fefceeab9f845f9ddbe9c3a0712d45aad4c87fdbb178d13955944dbe6b338a3
168.95.1[.]1
```


[8]

TsCookie
```
app.dynamicrosoft.com
home.mwbsys.org
fc863fbd71e22c99eaa2b1b0eb72d806cedeb536213e600afb03f0fbea9d2bb3
```


[9]

BiFrost

```
107.191.61.247
8fd3925dadf37bebcc8844214f2bcd18
```

```
rule RAT_BiFrost_UNIX
{
    meta:
    description= "HUAPI UNIX BiFrost RAT"
    author = "TeamT5"
    date = "2020-04-15"
    
    strings:
    $hex1 = {25 ?? 00 00 00 85 C0 75 37 8B 45 F0 89 C1 03 4D 08 8B 45 F0 03 45 08 0F B6 10 8B 45 F8 01 C2 B8 FF FF FF FF 21 D0 88 01 8B 45 F0 89 C2 03 55 08 8B 45 F0 03 45 08 0F B6 00 32 45 FD 88 02}
    $hex2 = {8B 45 F0 03 45 08 0F B6 00 30 45 FD 8B 45 F0 89 C1 03 4D 08 8B 45 F8 89 C2 02 55 FD B8 FF FF FF FF 21 D0 88 01}
    
    condition:
    all of them
}
```








[1]: https://www.security.com/threat-intelligence/palmerworm-blacktech-espionage-apt
[2]: https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html
[3]: https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html
[5]: https://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html
[6]: https://x.com/ESETresearch/status/1382054011264700416
[7]: https://cyberandramen.net/2021/02/11/blacktech-updates-elf-plead-backdoor/
[8]: https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html
[9]: https://teamt5.org/tw/posts/technical-analysis-on-backdoor-bifrost-of-the-Chinese-apt-group-huapi/