March 27, 2023
4 Types of Malware You Need to Know - Panda Security Mediacenter

Researchers have spotted a China-linked BlackTech cyberespionage group targeted Japanese companies using new malware tracked as Flagpro that targeted multiple companies in Defense, Media, and Communications industries several times. 

Flagpro has been employed by the APT group at least since October 2020. The most recent sample analyzed by the researchers is from July 2021.

Flagpro was used as a first-stage payload for reconnaissance purposes, and also it downloads second stage malware and execute it. The attack chain starts with phishing messages that were crafted for the target organization. The phishing messages are disguised as an e-mail with a target’s business partner.

The spear-phishing messages use a password-protected ZIP or RAR attachment and the password is included in the content of the email. The archive contains a weaponized Microsoft Excel file (.XLSM), upon executing the macro the code creates an executable in the startup directory, the Flagpro.

The commands from a C&C server are encoded with Base64. A new version of malware, dubbed Flagpro v2.0, which can automatically close dialogs relevant to establishing external connections to reduce a risk that a user detects an external connection by the malware.

In the implementation of v1.0, if a dialog titled “Windows セキュリティ” is displayed when Flagpro accesses to an external site, Flagpro automatically clicks OK button to close the dialog. This handling also works when the dialog is written Chinese and English. It can indicate the targets are Japan, Taiwan, and English-speaking countries.Flagpro v2.0 checks whether both username and password are filled in a dialog as an additional feature before clicking the OK button.

The activity of the BlackTech APT was first detailed by TrendMicro in 2017, the group focuses on targets in Taiwan, Japan and Hong Kong and is aimed at stealing technology.

Recently, the cyberespionage group has started using other malware strains tracked as “SelfMake Loader” and “Spider RAT.”

Indicators Of Compromise

  • 54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b
  • e197c583f57e6c560b576278233e3ab050e38aa9424a5d95b172de66f9cfe970
  • 655ca39beb2413803af099879401e6d634942a169d2f57eb30f96154a78b2ad5
  • 840ce62f92fc519cd1a33b62f4b9f92a962b7fb28c12d2f607dec0b520e6a4b2
  • ba27ae12e6f3c2c87fd2478072dfa2747d368a507c69cd90b653c9e707254a1d
  • 77680fb906476f0d84e15d5032f09108fdef8933bcad0b941c9f375fedd0b2c9
  • e81255ff6e0ed937603748c1442ce9d6588decf6922537037cf3f1a7369a8876
  • 45[.]76.184.227
  • 45[.]32.23.140
  • 139[.]162.87.180
  • 107[.]191.61.40
  • 172[.]104.109.217

Leave a Reply

%d bloggers like this: