The cyber-espionage APT (Advanced Persistent Threat) group BlackTech has been found targeting Japanese firms with a new malware called ‘Flagpro.’ The threat actor employs Flagpro in the early stages of an attack to conduct network reconnaissance, assess the target’s environment, and download and execute second-stage malware.
The infection series starts with a phishing email explicitly designed for the target company, posing as a communication from a reliable partner. The email comprises a password-protected ZIP or RAR attachment that contains a malicious macro-laced Microsoft Excel file (.XLSM). This code generates the Flagpro executable in the starting directory when it is run.
Flagpro connects to the C2 server over HTTP for the first time and delivers system ID information gathered by performing hardcoded OS instructions. The C2 can respond with more directives or a second-stage payload for Flagpro to process. The communication between them is encoded in Base64, and there’s an adjustable time delay between connections to prevent a pattern of recognizable actions.
Flagpro has been used against Japanese companies for more than a year, from at least October 2020, as per research by NTT Security. The most current sample available to the researchers is from July 2021. The businesses targeted are from various industries, including defense, media, and communications.
NTT researchers discovered a new version of Flagpro during their investigation, which can automatically stop dialogs related to establishing external connections that may betray its existence to the victim.
“In the implementation of Flagpro v1.0, if a dialog titled “Windows セキュリティ” is displayed when Flagpro accesses to an external site, Flagpro automatically clicks OK button to close the dialog,” clarifies the NTT Security report.
“This handling also works when the dialog is written in Chinese or English. It indicates the targets are in Japan, Taiwan, and English-speaking countries.”
BlackTech APT is a lesser-known actor linked to China that TrendMicro researchers first discovered in 2017. Its usual targets are Taiwanese corporations; however, it has also stolen technology from Japanese and Hong Kong companies.
A Unit 42 report from February 2021 linked BlackTech to WaterBear; another cyber-espionage group thought to be funded by the Chinese government. As an APT, BlackTech has the expertise and complexity to adapt its tools to new reports like this one. Therefore, Flagpro will almost certainly be changed to make it stealthier.
According to the NTT report concludes: “Recently, they (BlackTech) have started using other new malware called “SelfMake Loader” and “Spider RAT”. It means that they are actively developing new malware.”
Defenders must be aware of the new signs of compromise associated with the latest malware and adhere to best security practices to maintain effective defenses against sophisticated attacks such as BlackTech.