Security experts uncovered a new malware campaign from BlackTeck, a Chinese cyberespionage APT group. According to a report from NTT Security, the group targeted Japan-based companies via a novel malware variant dubbed Flagpro.
“We have observed attack cases using Flagpro against multiple companies (Defense, Media, Communications) several times. In October 2020, a sample related to Flagpro was submitted to an online service. Therefore, Flagpro may have already been used for attacking cases at that point,” the report said.
Flagpro Malware Attack Chain
Researchers stated that attackers leveraged Flagpro malware in the initial stage of infection to compromise the targeted network, download a second-stage malware, and then execute. The Flagpro infection starts with a spearphishing email with an attached password-protected archived file (ZIP or RAR).
The archived file includes an .xlsm format file (Excel macro) containing a malicious macro. Once the user activates the macro, the malware automatically downloads and creates an EXE file (containing Flagpro) in the startup directory. Once installed, Flagpro malware communicates with the hacker-operated C&C server and executes the received commands.
Flagpro’s main activities include:
- Download and execute a tool
- Execute OS commands and send the results
- Collect and send Windows authentication information
Indicators of Compromise (IoC)
“We have observed attack cases using Flagpro against Japan since October 2020. The attack techniques have not changed a lot, but BlackTech uses more evading techniques. For example, they adjust decoy files and file names to their target and check the target’s environment carefully. Recently, they have started using other new malware called SelfMake Loader and Spider RAT. It means that they are actively developing new malware. Therefore, you need to pay attention to the attacks from BlackTech,” the report added.