A Chinese-sponsored advanced persistent threat (APT) group known as BlackTech has been reported to terrorise Japan-based organisations by using a new tool that researchers labeled Flagpro malware.
The threat actors utilise Flagpro in the initial phase of an attack for network exploration, assess the target’s environment, and deploy the second-phase malware and start it.
The infection starts with a phishing message developed for the targeted company, pretending to be an email from a reliable affiliate. However, the crafted phishing email contains a password-protected RAR or ZIP attachment that consists of an Excel document ([.]xylem) laden with a malicious macro. Activating this malicious code develops an executable which is called Flagpro.
The malware then links to the command-and-control (C2) server via HTTP and deploys system ID data acquired by operating hardcoded Operating System commands on its initial run. The C2 server returns additional instructions or a second payload that Flagpro can activate in response.
The communication between Flagpro and C2 server is written with Base64, and there is also a configurable time interval between connections to minimise creating a pattern for identifiable operations.
According to a report, Flagpro malware has been launched against Japan-based organizations for over a year. Moreover, the latest sample the researchers could recover is from July of this year. The targeted sectors are from several entities such as media providers, telecommunication services, and defence technologies.
The Flagpro malware is relatively new in the wild, but the BlackTech APT is old and may be sponsored by the Chinese government.
The APT group’s usual targets are companies inside Taiwan. However, their recent activities have shown that BlackTech has attacked multiple Hong Kong and Japanese organizations.
As an advanced persistent threat group, BlackTech has the ability, knowledge, and sophistication to adapt its weapon to new advisories. Therefore, Flagpro will still evolve even if researchers manage to counter it. BlackTech has also recently used two new malware called Spider RAT and SelfMake Loader, so this APT group are actively creating new malware.
All potential targets and current targets should employ enhanced cybersecurity measures to keep up with the evolution and sophistication of APT groups.