.svg)
.svg)
The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
Picus Labs has updated the Picus Threat Library with new attack methods for Flagpro malware of BlackTech.
BlackTech APT group
BlackTech (also known as Circuit Panda, Radio Panda, TEMP.Overboard, HUAPI, Palmerworm) is an APT group that has been conducting information theft and espionage operations targeting organizations in East Asia. The APT group was first observed in 2010 and they have been active since.
Flagpro malware was recently discovered by NTTSecurity and the malware is attributed to BlackTech [1].
What is Flagpro Trojan?
Flagpro is malware that collects information from the victim and executes commands in the victim’s environment. It targets Japan, Taiwan ,and English-speaking countries. When a victim is infected with Flagpro malware, the malware can do the following:
- Download and execute a tool
- Execute OS commands and send results
- Collect and send Windows authentication information
Test your Security Controls Against Malware Now
MITRE ATT&CK Tactics and Techniques Used by Flagpro Malware
Initial Access
Flagpro is delivered using MITRE ATT&CK T1566.001 Phishing: SpearPhishing Attachment technique. The threat actors send the malware in a password-protected archive file via email. The password of the archive file is in the body of the email.
Execution
Execution of the malware uses MITRE ATT&CK T1204.002 User Execution: Malicious file technique and requires user interaction. The attachment in the threat actor’s email contains a .xlsm file which includes a malicious macro. When the victim opens the .xlsm file and activates the malicious macro, the malicious .exe file is created in the startup directory. This .exe file is generally named either “Flagpro.exe” or “dwm.exe”.
Persistence
Flagpro uses MITRE ATT&CK T1037.005 Boot or Logon Initialization Scripts: Startup Items technique. The malware places its executable in the startup directory. This enables the executable to run automatically when the victim system is rebooted.
Defense Evasion
To avoid detection, Flagpro uses MITRE ATT&CK 1406 Obfuscated Files or Information technique. During its operations, the communication of the malware is encoded with Base64.
Command and Control
Flagpro receives OS commands and malicious payloads from the threat actor’s command and control server using MITRE ATT&CK T1132.001 Data Encoding: Standard Encoding technique.
Exfiltration
Flagpro encodes the gathered information with Base64 and sends it as a HTTP request to the command and control server. This technique is called MITRE ATT&CK T1041 Exfiltration over C2 Channel.
Attack Simulation
You can test your security controls against the Flagpro malware using the Picus Continuous Security Validation Platform. We advise you to simulate Flagpro attacks and determine whether your security controls can prevent them or not. Picus Threat Library includes the following threats used in the Flagpro attack campaign of the BlackTech.
- Flagpro Dropper used by BlackTech Threat Group .XLSX File Download
- Flagpro Trojan used by BlackTech Threat Group .EXE File Download (4 variants)
Picus Threat Library also includes other malware threats of BlackTech:
- BlackTech APT Group's Plead Downloader Attack Scenario
- Gh0stTimes RAT used by BlackTech Threat Group .EXE File Download (7 variants)
- Plead Downloader used by BlackTech APT Group .EXE File Download (15 variants)
Indicators of Compromise (IOCs)
线路信息.xlsm
MD5: 8d3e29bd96352a306022393e94a7270b
SHA-1: 802e7e9bde53d254614268e4b78f03edb1db068d
SHA-256: ba27ae12e6f3c2c87fd2478072dfa2747d368a507c69cd90b653c9e707254a1d
Twunk_32.exe
MD5: fd695898fe6a205ccc86d920d8ec6a9b
SHA-1: f75a8b0e6af6a3447f1ea2f85089cfebaac7d936
SHA-256: 77680fb906476f0d84e15d5032f09108fdef8933bcad0b941c9f375fedd0b2c9
Twunk_32.exe
MD5: 8f7205aaf80ce4b5d0ee8f00369f301a
SHA-1: 401d3336eb33cf82eecb5df5c2ac6d5f7f78aa26
SHA-256: 655ca39beb2413803af099879401e6d634942a169d2f57eb30f96154a78b2ad5
Twunk_32.exe
MD5: 11746ae92be83ba28b05272fe03780d6
SHA-1: 7190a70241a58610a5f200daa253bc47b686a3d5
SHA-256: e197c583f57e6c560b576278233e3ab050e38aa9424a5d95b172de66f9cfe970
bfsvc.exe
MD5: 287d612e29b71c90aa54947313810a25
SHA-1: 8f35a9e70dbec8f1904991773f394cd4f9a07f5e
SHA-256: 54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b
Reference
[1] H. Hada, “Flagpro: The new malware used by BlackTech.” [Online]. Available: https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech.
