Saturday, November 16, 2024
HomeMalwareBlackTech Hacker Group Uses New Flagpro Malware to Execute OS Commands

BlackTech Hacker Group Uses New Flagpro Malware to Execute OS Commands

Published on

Several Japanese companies have been spotted using the Flagpro malware, and here to take the advantage of it, the BlackTech cyber-espionage APT group targets those companies to execute OS commands by exploiting the Flagpro malware.

The cybersecurity analysts at NTTSecurity has claimed that in the first stage, the threat actors evaluate the following things by exploiting the malware for surveillance purposes:-

  • Evaluate the target’s environment.
  • Download second-stage malware.
  • Then, at last, execute it.

Flagpro Ignition Analysis

While if we talk about the ignition analysis of Flagpro, then let me simplify to explain it step-by-step:-

- Advertisement - SIEM as a Service
  • Flagpro starts with a spear-phishing e-mail.
  • Then, it is accommodated to its target organization.
  • To deceive its target, the threat actors disguise the malware as an email sent from the target’s business partner for communication mean.
  • It implies, that before launching any attack the attacker put its root deeper into target’s network.
  • A password-protected archived file (ZIP or RAR) was attached with the email that contains a malicious macro (Used as a dropper).
  • In the message, they also provide the password.
  • Then the contents of the xlsm file were manipulated for the target.
  • At this stage, in the startup directory, the malicious macro assembles an EXE file (Flagpro) and it named the file “dwm.exe.”
  • Now during the next launch, the dwm.exe will be executed, and then it establishes communication with a C&C server.
  • Then Flagpro malware downloads a second stage malware after getting a command from the C&C server via HTTP and then executes it.

This is the whole attack chain through which the threat actor exploits the Flagpro malware to execute OS commands on the compromised network systems.

Main Functions Flagpro

Here are the main functions of Flagpro malware:-

  • Download and execute a tool.
  • Execute OS commands and send the results.
  • Collect and send Windows authentication information.

Targets

Apart from this, the current variant of Flagpro has been tagged as “Flagpro v2.0,” while the old variant was well-known as “Flagpro v1.0.”

In Flagpro v1.0, it automatically clicks the OK button to close the dialog that is titled as “Windows セキュリティ,” and when Flagpro accesses an external site this dialog box is displayed.

The language used clearly depicts that their targets are mainly:-

  • Japan
  • Taiwan
  • English-speaking countries

But, in the case of Flagpro v2.0, it only checks two elements before clicking the OK button, “username and password,” whether they are filled or not in a dialog as an additional feature.

Moreover, the cybersecurity analysts at NTTSecurity have speculated that the BlackTech APT group is associated with China, but, still, it’s not confirmed yet since this APT group is a lesser-known group, and it was first spotted in 2017 by TrendMicro researchers.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...

China-Nexus Actors Hijack Websites to Deliver Cobalt Strike malware

A Chinese state-sponsored threat group, identified as TAG-112, has been discovered hijacking Tibetan community...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...