Tuesday, October 8, 2024
HomeMalwareBlackTech Hacker Group Uses New Flagpro Malware to Execute OS Commands

BlackTech Hacker Group Uses New Flagpro Malware to Execute OS Commands

Published on

Several Japanese companies have been spotted using the Flagpro malware, and here to take the advantage of it, the BlackTech cyber-espionage APT group targets those companies to execute OS commands by exploiting the Flagpro malware.

The cybersecurity analysts at NTTSecurity has claimed that in the first stage, the threat actors evaluate the following things by exploiting the malware for surveillance purposes:-

  • Evaluate the target’s environment.
  • Download second-stage malware.
  • Then, at last, execute it.

Flagpro Ignition Analysis

While if we talk about the ignition analysis of Flagpro, then let me simplify to explain it step-by-step:-

- Advertisement - EHA
  • Flagpro starts with a spear-phishing e-mail.
  • Then, it is accommodated to its target organization.
  • To deceive its target, the threat actors disguise the malware as an email sent from the target’s business partner for communication mean.
  • It implies, that before launching any attack the attacker put its root deeper into target’s network.
  • A password-protected archived file (ZIP or RAR) was attached with the email that contains a malicious macro (Used as a dropper).
  • In the message, they also provide the password.
  • Then the contents of the xlsm file were manipulated for the target.
  • At this stage, in the startup directory, the malicious macro assembles an EXE file (Flagpro) and it named the file “dwm.exe.”
  • Now during the next launch, the dwm.exe will be executed, and then it establishes communication with a C&C server.
  • Then Flagpro malware downloads a second stage malware after getting a command from the C&C server via HTTP and then executes it.

This is the whole attack chain through which the threat actor exploits the Flagpro malware to execute OS commands on the compromised network systems.

Main Functions Flagpro

Here are the main functions of Flagpro malware:-

  • Download and execute a tool.
  • Execute OS commands and send the results.
  • Collect and send Windows authentication information.

Targets

Apart from this, the current variant of Flagpro has been tagged as “Flagpro v2.0,” while the old variant was well-known as “Flagpro v1.0.”

In Flagpro v1.0, it automatically clicks the OK button to close the dialog that is titled as “Windows セキュリティ,” and when Flagpro accesses an external site this dialog box is displayed.

The language used clearly depicts that their targets are mainly:-

  • Japan
  • Taiwan
  • English-speaking countries

But, in the case of Flagpro v2.0, it only checks two elements before clicking the OK button, “username and password,” whether they are filled or not in a dialog as an additional feature.

Moreover, the cybersecurity analysts at NTTSecurity have speculated that the BlackTech APT group is associated with China, but, still, it’s not confirmed yet since this APT group is a lesser-known group, and it was first spotted in 2017 by TrendMicro researchers.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Gained Unauthorized Network Access to Casio Networks

Casio Computer Co., Ltd. has confirmed that a third party illegally accessed its network...

Open-Source Scanner Released to Detect CUPS Vulnerability

A new open-source scanner has been released to detect a critical vulnerability in the...

Comcast Cyber Attack Impacts 237,000+ Users Personal Data

Comcast Cable Communications LLC has reported that over 237,000 users' data has been compromised....

American Water Works Cyber Attack Impacts IT Systems

American Water Works Company, Inc., a leading provider of water and wastewater services, announced...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

DCRAt Attacking Users Via HTML Smuggling To Steal Login Credentials

In a new campaign that is aimed at users who speak Russian, the modular...

LummaC2 Stealer Leverages Customized Control Flow Indirection For Execution

The LummaC2 obfuscator employs a novel control flow protection scheme designed specifically for its...

Octo2 Android Malware Attacking To Steal Banking Credentials

The original threat actor behind the Octo malware family has released a new variant,...