Flagpro malware is threatening enterprises and is backed by Chinese hackers

Japanese companies are being targeted by a novel malware called Flagpro developed by BlackTech cyber-espionage APT group.

The actors are using the Flagpro malware for network reconnaissance and start understanding the network environment and then proceed with the next stage of infiltration by downloading additional payloads.

Flagpro malware breaches enterprise networks

Like any other malware, Flagpro also starts with phishing email specifically crafted for the target environment and disguising itself is a legitimate sender. The phishing email comes with a ZIP file that is password protected and has an Excel file inside of it. This excel file has a macro code inside of it which when executed creates an exe file.

Once Flagpro is inside your network, it will first connect with the C2 server and transmits system details using the hard coded OS commands. Later, C2 server will send back further commands or a payload to enhance Flagpro malware’s modus operandi.  The communication between Flagpro and C2 server in encoded with Base64 and there are delay mechanisms that is incorporated purposely to avoid detection.

As per report from NTT Security, the Flagpro malware is being targeting Japanese firms for over an year now. The firms are from multiple verticals including defense, telecommunications, media, and more.

Flagpro malware has a newer version now

NTT researchers have also identified a newer version of Flagpro malware that is now able to erase external communication with C2 server, thus reducing the suspicion.  The newer version targeting Japan, Taiwan and English-speaking countries.

Entity behind Flagpro malware

The TrendMicro researchers identified the BlackTech APT  group in 2017  and was associated with China. In February 2021, a Unit 42 reported  BlackTech entities with WaterBear entity, which was again suspected to be a Chinese organization. BlackTech is capable of adjusting the tools to modify their attack vector and enhance Flagpro capabilities for further stealthier operation.

The NTT report have also mentioned that BlackTech is developing several malware like Flagpro, and they recently detected ‘SelfMake Loader’ and ‘Spider RAT’ malware. Security professionals need to see the patterns to detect Flagpro malware and follow the security best practices to keep their network environment safe.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.

You can reach out to us via Twitter or Facebook, for any advertising requests.