Japanese Organizations Are Now the Targets of BlackTech APT Group
The Threat Actors Use the Flagpro Malware to Hack Japanese Firms.
Researchers have noticed that the APT group dubbed BlackTech started to target Japanese organizations in a malicious campaign that employs the Flagpro malware.
How the Attack Unfolds
NTT researchers published a report about this topic. According to them, the initial stage of the cyberattack involves BlackTech leveraging Flagpro malware. This focuses on activities like network reconnaissance and some examples here could be: the target environment exploration, or the download and execution of other malware.
Hackers use a spear-phishing email which comes in the form of a customized message to begin the cyberattack, impersonating a business partner communication of the targeted companies.
Within the email, a RAR or a password-protected ZIP attachment can be found with the email body including the required password. The mentioned archive encompasses a compromised Microsoft Excel file containing an entrenched malicious macro.
An executable file (dwm.exe) is produced by the macro code in the startup directory after it’s installed. This executable file stands for none other than the Flagpro malware.
The attackers attach a password protected archived file (ZIP or RAR) to the email, and they write its password in the message. The archived file includes an xlsm format file and it contains a malicious macro. If a user activates the macro, a malware will be dropped. They also adjust the contents of the xlsm file to the target. Therefore, it is not easy to feel at odds with the file sent by the attacker. (…) After the macro is executed, it creates an EXE file in startup directory. This EXE file is “Flagpro”. (…) Flagpro communicates with a C&C server, and it receives commands to execute from the server, or Flagpro downloads a second stage malware and then executes it.
The Functions of Flagpro Malware
Flagpro malware has 3 main functions, as the researchers emphasize, consisting of its role to perform download and execution of a tool, to execute OS commands and transmit the results and finally to gather and send Windows authentication data.
What Countries and Companies Are Targeted?
As per the same report, NTT researchers underline that various Japanese firms in the communications, media, and defense industries were targeted in these cyberattacks leveraging Flagpro malware. Besides, the experts also noticed the use of a dialog both in English and Chinse, drawing thus the conclusion that English-speaking countries could find themselves on the targets’ list too.
Flagpro Malware Timeline
The experts also shared in their paper a Flagpro malware timeline, stressing the reoccurring nature of this on several occasions. Thus, during the month of October 2020, the first Flagpro sample was submitted to an online service.
Another Flagpro variant dubbed Flagpro v2.0 was noticed during the month of July 2021, using the Microsoft Foundation Class library to deploy.
Flagpro v2.0 has another new function. If a dialog title is “Internet Explorer [7-11]” (the number after “Internet Explorer” depends on what version the user users) when Flagpro accesses to an external site, Flagpro sends WM_CLOSE message to close the dialog. (…) We assume that these functions, which close a dialog automatically, are implemented to reduce a risk that a user detects an external connection by Flagpro.
How Can Heimdal™ Help?
Malware is the most encountered cybersecurity threat nowadays. To keep its assets well protected, a company should have the proper tools put in place. Take for instance our Heimdal™ Threat Prevention, a DNS traffic filtering tool and a product that works on emergent and hidden threats identification. The Heimdal™’s security suite encompasses many more efficient products focused on different areas like ransomware encryption protection, patch management, or email security. Check out our home page to find more!
Did you enjoy this article? Follow us on LinkedIn, Twitter, Facebook, Youtube, or Instagram to keep up to date with everything we post!