Hello, I am morimolymoly.

I analyzed domain abuse by BlackTech which actively attacking Japan, Taiwan, US, Singapore, Hong Kong.

I read TrendMicro’s article about BlackTech.

BlackTech used itaiwans[.]com for C2.

I searched this domain on VirusTotal and got result.

I could obtain some subdomains.

Domains which marked malicious is well-known and not interested for me so I looked at library[.]itaiwans[.]com and got result.

As we can see, hxxp://library[.]itaiwans[.]com/logo[.]png seems really good and BlackTech is reusing this domain for years!

And I could also got one Malware sample(47ec90f43990c19c62317839168e34637be57d77bcd8d4adadf02963a93b5808).

Yeah, it is IconDown!

IconDown fetches encrypted file from C2 server, and use RC4 to decrypt payload and deploy it into %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\slui.exe