Researchers from NTT Security reported that China-linked BlackTech cyberespionage group targeted Japanese companies using new malware tracked as ‘Flagpro’. Attacks using Flagpro targeted multiple companies in Defense, Media, and Communications industries several times.
According to a report by NTT Security, Flagpro has been employed by the APT group at least since October 2020. The most recent sample analyzed by the researchers is from July 2021.
Flagpro was used as a first-stage payload for reconnaissance purposes, it also download second-stage malware and execute it.
The attack chain starts with phishing messages that were crafted for the target organization. The phishing messages are disguised as an e-mail with a target’s business partner.
The spear-phishing messages use a password-protected ZIP or RAR attachment and the password is included in the content of the email. The archive contains a weaponized Microsoft Excel file (.XLSM), upon executing the macro the code creates an executable in the startup directory, the Flagpro.
“Flagpro communicates with a C&C server, and it receives commands to execute from the server, or Flagpro downloads a second stage malware and then executes it.” reads the analysis published by NTT Security. “The attackers check the target’s environment whether it is suitable for running the second stage malware or not. If they determine to attack the target, another malware sample will be downloaded and executed.”
The commands from a C&C server are encoded with Base64.
NTT researchers also identified a new version of malware, dubbed Flagpro v2.0, which can automatically close dialogs relevant to establishing external connections to reduce a risk that a user detects an external connection by the malware.
“In the implementation of v1.0, if a dialog titled “Windows セキュリティ” is displayed when Flagpro accesses to an external site, Flagpro automatically clicks OK button to close the dialog. This handling also works when the dialog is written Chinese and English. It can indicate the targets are Japan, Taiwan, and English-speaking countries.” continues the report. “Flagpro v2.0 checks whether both username and password are filled in a dialog as an additional feature before clicking the OK button.”
Recently, the cyberespionage group has started using other malware strains tracked as“SelfMake Loader” and “Spider RAT.”
“It means that they are actively developing new malwares. Therefore, you need to pay attention to the attacks from BlackTech.” concludes the report that also includes IoCs.