BLACKGEAR Espionage Campaign Evolves, Adds Japan To Target List

Share this…

BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years. Multiple papers and talks have been released covering this campaign, which used the ELIRKS backdoor when it was first discovered in 2012. It is known for using blogs and microblogging services to hide the location of its actual command-and-control (C&C) servers. This allows an attacker to change the C&C server used quickly by changing the information in these posts.

Like most campaigns, BLACKGEAR has evolved over time. Our research indicates that it has started targeting Japanese users. Two things led us to this conclusion: first, the fake documents that are used as part of its infection routines are now in Japanese. Secondly, it is now using blogging sites and microblogging services based in Japan for its C&C activity.

This post will discuss this C&C routine, the tools used in these attacks, and the connections between these tools.

C&C configuration retrieval

Figure 1. Overview of C&C configuration retrieval method

Backdoors used by BLACKGEAR share a common characteristic: they all retrieve encrypted C&C configuration information from blogs or microblogs. An attacker would register an account on these services and then create posts. The encrypted C&C information would be between two hardcoded tags, as seen below:

Figure 2. Encrypted configuration information between tags

There are two reasons BLACKGEAR would use this technique. First, the beacon traffic of the backdoor would look like normal traffic to blogs.  Secondly, the threat actor would be able to quickly change the C&C servers used if these were blocked. A defender would be unable to block this change in server from reaching any affected machines unless the legitimate site was blocked as well.

Tools Used by BLACKGEAR

Figure 3. Tools used by BLACKGEAR campaign

The malware tools used by BLACKGEAR can be categorized into three categories: binders, downloaders and backdoors. Binders are delivered by attack vectors (such as phishing and watering hole attacks) onto a machine. These, in turn, drop decoys and downloaders. The latter connect to various sites under the control of the attacker and downloads backdoors. These use persistent methods to ensure that they remain present on the affected machines to give attackers access to the machine in question.

By separating the attack tools into three stages, threat actors are able to adapt quickly. If one component is detected and/or blocked, it can be replaced without disrupting the entire toolset.


The binder (which we detect as the TROJ_BLAGFLDR family) hides as a normal folder by changing its icon to a folder icon. Once the victim executes it, it executes the downloader in the background, drops a decoy folder that includes fake documents, then delete itself. This is so the victim won’t notice that the malicious downloader has been executed.



TSPY_RAMNY is a downloader dropped by TROJ_BLAGFLDR malware. To remain persistent, it moves itself to the Windows temp folder and drops a *.lnk (Windows Shortcut) file in the startup folder that points to itself. It also sends information about the compromised host (such as network settings) back to the download site.

The download link is formatted in the following format:

  • https://{IP address}/{folder name}/{webpage name} (Example: https://{IP address}/multi/index.html)

This is done so that if someone looks solely at the URL, the download of the backdoor will appear to be an ordinary website.


TSPY_YMALRMINI is another downloader that is dropped by TROJ_BLAGFLDR malware, which also sends information about compromised hosts back to the download site. We were unable to determine which payloads were used by this downloader. However, our research indicates that some of these downloads are saved as drWaston.exe on the compromised host. This same file name is also used by some ELIRKS variants, indicating a possible connection. TSPY_YMALRMINI uses the same URL format as RAMNY.

TSPY_YMALRMINI has the same download link pattern as TSPY_RAMNY. The family name for this malware is because some variants have the PDB string “C:\toolson-mini\YmailerCreater – Debug\Binder\Binder\YMailer.pdb”. In addition, these variants also create a log file named YmailerMini.log.



BKDR_ELIRKS was the first family of backdoors tied to BLACKGEAR. It retrieves encrypted C&C configuration information from various blogging or microblogging services. Once decoded, it connects to these C&C servers and waits for commands given by a threat actor. To remain persistent, it moves itself to the Windows temp folder and drops a *.lnk (Windows Shortcut) file in the startup folder that points to itself.

Its backdoor routines include getting information from the compromised host, downloading and running files, taking screenshots, and opening a remote shell.


BKDR_YMALR is a backdoor written using the .NET framework which is also known as LOGEDRUT. The detection name comes from a log file created by this malware family named YMailer.log. Its behavior is similar to ELIRKS – both in terms of C&C information retrieval and available commands to a threat actor.

Encryption and Decryption


Reverse analysis of ELIRKS allowed us to determine how to decrypt the C&C information, which is done in the following Python code:

#! /usr/bin/env python

from ctypes import *

def decipher(v, k):

     z.value -= (y.value + sum.value) ^ (y.value * 16 + k[2]) ^ (( y.value >> 5 ) + k[3])
     y.value -= (z.value + sum.value) ^ (z.value * 16 + k[0]) ^ (( z.value >> 5 ) + k[1])
     sum.value += delta.value
     n -= 1


return w

if __name__ == '__main__':
     key = [0x8F3B39F1, 0x8D3FBD96, 0x473EAA92, 0x502E41D2]
     ciphertext = [ciphertext1, ciphertext2] # you can input cipher text here
     res = decipher(ciphertext, key)
     plaintext = "%X" % (res[0])
     c4 = str(int("0x"+plaintext[6:8],16))
     c3 = str(int("0x"+plaintext[4:6],16))
     c2 = str(int("0x"+plaintext[2:4],16))
     c1 = str(int("0x"+plaintext[:2],16))
     print c4+"."+c3+"."+c2+"."+c1

The malware contains shellcode with two things: the URL of the blog entry and the tags that identify where in the fake articles the hidden C&C information is located. Once the fake blog/microblog posts are downloaded, the malware finds and decrypts the C&C information.

The C&C information is stored in the post in two short bits of text. The first is an eight-character string that is decoded into a six-byte hexadecimal value. The second is a two-character string which is already in a hexadecimal format, and is concatenated towards the end. A modified version of the TEA algorithm decrypts these into the C&C server locations.

Figure 4. BKDR_ELIRKS decryption algorithm


BKDR_YMALR implements the same behavior in a slightly different manner. It contains several encrypted strings:

Figure 5. Encrypted strings in BKDR_YMALR

These encrypted strings are the result of the blog URLs and tags being first encoded with Base64, and then encrypted with DES. The encryption key and initialization vector are hardcoded, with both set to 1q2w3e4r. (Note how these are positioned on a normal keyboard.)

Figure 6. Blog URL and tags in BKDR_YMALR

Figure 7. BKDR_YMALR decryption algorithm

Once these have been decoded, BKDR_YMALR uses the same algorithm as ELIRKS to obtain the C&C information.

Figure 8. BKDR_YMALR configuration from the blog post blog

Connections between tools

Figure 9. Connections between tools

More than just tools being used together, it appears that there are distinct connections between the different tools used by BLACKGEAR. The string “YMailer” shows up in the filenames of log files used by both BKDR_YMALR and TSPY_YMALRMINI, and it is in the PDB strings of the latter. The two downloaders TSPY_RLMNY and TSPY_YMALRMINI  both use the string toolson in different places. Lastly, both downloaders and one backdoor share the same decryption key 1q2w3e4rThe above illustration shows the connections between the families.


Malware threats need to evolve or otherwise become non-threats. Similarly, to stay relevant, BLACKGEAR has evolved with both new tools and new targets, and will continue to be a threat for the foreseeable future. We will continue to monitor its activities in order to protect our customers.