Friday, April 19, 2024

BlackTech Hacker Group Uses New Flagpro Malware to Execute OS Commands

Several Japanese companies have been spotted using the Flagpro malware, and here to take the advantage of it, the BlackTech cyber-espionage APT group targets those companies to execute OS commands by exploiting the Flagpro malware.

The cybersecurity analysts at NTTSecurity has claimed that in the first stage, the threat actors evaluate the following things by exploiting the malware for surveillance purposes:-

  • Evaluate the target’s environment.
  • Download second-stage malware.
  • Then, at last, execute it.

Flagpro Ignition Analysis

While if we talk about the ignition analysis of Flagpro, then let me simplify to explain it step-by-step:-

  • Flagpro starts with a spear-phishing e-mail.
  • Then, it is accommodated to its target organization.
  • To deceive its target, the threat actors disguise the malware as an email sent from the target’s business partner for communication mean.
  • It implies, that before launching any attack the attacker put its root deeper into target’s network.
  • A password-protected archived file (ZIP or RAR) was attached with the email that contains a malicious macro (Used as a dropper).
  • In the message, they also provide the password.
  • Then the contents of the xlsm file were manipulated for the target.
  • At this stage, in the startup directory, the malicious macro assembles an EXE file (Flagpro) and it named the file “dwm.exe.”
  • Now during the next launch, the dwm.exe will be executed, and then it establishes communication with a C&C server.
  • Then Flagpro malware downloads a second stage malware after getting a command from the C&C server via HTTP and then executes it.

This is the whole attack chain through which the threat actor exploits the Flagpro malware to execute OS commands on the compromised network systems.

Main Functions Flagpro

Here are the main functions of Flagpro malware:-

  • Download and execute a tool.
  • Execute OS commands and send the results.
  • Collect and send Windows authentication information.


Apart from this, the current variant of Flagpro has been tagged as “Flagpro v2.0,” while the old variant was well-known as “Flagpro v1.0.”

In Flagpro v1.0, it automatically clicks the OK button to close the dialog that is titled as “Windows セキュリティ,” and when Flagpro accesses an external site this dialog box is displayed.

The language used clearly depicts that their targets are mainly:-

  • Japan
  • Taiwan
  • English-speaking countries

But, in the case of Flagpro v2.0, it only checks two elements before clicking the OK button, “username and password,” whether they are filled or not in a dialog as an additional feature.

Moreover, the cybersecurity analysts at NTTSecurity have speculated that the BlackTech APT group is associated with China, but, still, it’s not confirmed yet since this APT group is a lesser-known group, and it was first spotted in 2017 by TrendMicro researchers.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Palo Alto ZeroDay Exploited in The Wild Following PoC Release

Palo Alto Networks has disclosed a critical vulnerability within its PAN-OS operating system, identified...

FIN7 Hackers Attacking IT Employees Of Automotive Industry

IT employees in the automotive industry are often targeted by hackers because they have...

Russian APT44 – The Most Notorious Cyber Sabotage Group Globally

As Russia's invasion of Ukraine enters its third year, the formidable Sandworm (aka FROZENBARENTS,...

SoumniBot Exploiting Android Manifest Flaws to Evade Detection

A new banker, SoumniBot, has recently been identified. It targets Korean users and is...

LeSlipFrancais Data Breach: Customers’ Personal Information Exposed

LeSlipFrancais, the renowned French underwear brand, has confirmed a data breach impacting its customer...

Cisco Hypershield: AI-Powered Hyper-Distributed Security for Data Center

Cisco has unveiled its latest innovation, Cisco Hypershield, marking a milestone in cybersecurity.This groundbreaking...

Phishing-as-a-Service Platform LabHost Seized by Authorities

Authorities have dismantled LabHost, a notorious cybercrime platform that facilitated widespread phishing attacks across...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles