Several Japanese companies have been spotted using the Flagpro malware, and here to take the advantage of it, the BlackTech cyber-espionage APT group targets those companies to execute OS commands by exploiting the Flagpro malware.
The cybersecurity analysts at NTTSecurity has claimed that in the first stage, the threat actors evaluate the following things by exploiting the malware for surveillance purposes:-
- Evaluate the target’s environment.
- Download second-stage malware.
- Then, at last, execute it.
Flagpro Ignition Analysis
While if we talk about the ignition analysis of Flagpro, then let me simplify to explain it step-by-step:-
- Flagpro starts with a spear-phishing e-mail.
- Then, it is accommodated to its target organization.
- To deceive its target, the threat actors disguise the malware as an email sent from the target’s business partner for communication mean.
- It implies, that before launching any attack the attacker put its root deeper into target’s network.
- A password-protected archived file (ZIP or RAR) was attached with the email that contains a malicious macro (Used as a dropper).
- In the message, they also provide the password.
- Then the contents of the xlsm file were manipulated for the target.
- At this stage, in the startup directory, the malicious macro assembles an EXE file (Flagpro) and it named the file “dwm.exe.”
- Now during the next launch, the dwm.exe will be executed, and then it establishes communication with a C&C server.
- Then Flagpro malware downloads a second stage malware after getting a command from the C&C server via HTTP and then executes it.
This is the whole attack chain through which the threat actor exploits the Flagpro malware to execute OS commands on the compromised network systems.
Main Functions Flagpro
Here are the main functions of Flagpro malware:-
- Download and execute a tool.
- Execute OS commands and send the results.
- Collect and send Windows authentication information.
Apart from this, the current variant of Flagpro has been tagged as “Flagpro v2.0,” while the old variant was well-known as “Flagpro v1.0.”
In Flagpro v1.0, it automatically clicks the OK button to close the dialog that is titled as “Windows セキュリティ,” and when Flagpro accesses an external site this dialog box is displayed.
The language used clearly depicts that their targets are mainly:-
- English-speaking countries
But, in the case of Flagpro v2.0, it only checks two elements before clicking the OK button, “username and password,” whether they are filled or not in a dialog as an additional feature.
Moreover, the cybersecurity analysts at NTTSecurity have speculated that the BlackTech APT group is associated with China, but, still, it’s not confirmed yet since this APT group is a lesser-known group, and it was first spotted in 2017 by TrendMicro researchers.