Home News New Flagpro Malware Linked to Chinese State-Backed Hackers

New Flagpro Malware Linked to Chinese State-Backed Hackers


Japanese corporations have been targeted by the cyberespionage APT (advanced persistent threat) outfit BlackTech, which uses cutting-edge malware they have dubbed “Flagpro.”

In the initial phase of an assault, the threat actor use Flagpro to do network reconnaissance, assess the environment of the target, and download and run second-stage malware.

Compromising company networks

The infection chain starts with a phishing email that is specifically designed for the target company and poses as coming from a reliable partner.

The email includes a password-protected ZIP or RAR attachment with a malicious macro-laced Microsoft Excel file (.XLSM) in it. By running this code, the Flagpro executable is created in the startup directory.

When Flagpro is first run, it establishes an HTTP connection with the C2 server and delivers information about the system ID that was collected by executing hardcoded OS commands.

The C2 can then respond by delivering extra directives or a second-stage payload that Flagpro can carry out.

In order to prevent the emergence of a pattern of recognisable actions, the communication between the two is Base64 encoded and has a programmable time delay between connections.

NTT Security claims that Flagpro has been used against Japanese businesses for at least a year, from October 2020. The researchers were able to get a sample as recent as July 2021.

The businesses being targeted come from a range of industries, including communications, media, and defence technologies.

v2.0 of Flagpro

NTT researchers discovered a new version of Flagpro during their study that has the ability to instantly dismiss dialogues related to creating links with the outside world that may otherwise betray its presence to the victim.

According to the NTT Security report, “In the implementation of Flagpro v1.0, if a dialogue titled “Windows ” is displayed when Flagpro accesses an external site, Flagpro automatically clicks OK button to close the dialogue.”

When the dialogue is written in Chinese or English, this treatment also functions. It indicates that English-speaking nations, Taiwan, and Japan are the objectives.

Probable Chinese actor

BlackTech APT is a lesser-known actor with ties to China that TrendMicro researchers first discovered in the summer of 2017.
Although occasionally attacking businesses in Japan and Hong Kong to steal technology, its usual targets are in Taiwan.

A Unit 42 report from February 2021 linked BlackTech to WaterBear, another cyberspying organisation thought to be supported by the Chinese government.

Since BlackTech is an APT, it has the knowledge and skill to modify its tools in response to fresh information like this, hence Flagpro will probably now be changed for deployment that is more covert.

“Recently, they (BlackTech) have started utilising other new malware called “SelfMake Loader” and “Spider RAT,” according to the NTT report’s conclusion. It indicates that they are working on creating new malware right now.

Defenders must pay attention to the latest signs of compromise brought on by the new virus and adhere to all recommended security practises to keep their defences robust against cutting-edge attacks like BlackTech.

Read Also: