NTT Security’s analysis reported that ,” The attackers examine the target’s environment to see if it is suitable for running the second stage malware. If they decide to attack the target, they will download and execute another malware sample.” “Flagpro communicates with a command and control server and receives commands to execute from the server, or Flagpro downloads and executes second stage malware.”
The attackers send an email with a password-protected archived file (ZIP or RAR) attached, and they include the password in the message. The archived file contains an xlsm format file with a malicious macro. When a user activates the macro, malware is dropped. They also adapt the xlsm file’s contents to the target. As a result, it is difficult to disagree with the file sent by the attacker.
When the macro is run, it creates an EXE file in the startup directory. The name of this EXE file is “Flagpro.” In most cases, the EXE files created are named “dwm.exe.” Flagpro, which was placed in the startup directory as “dwm.exe,” will be executed the next time the system boots.
In October 2020, a sample related to Flagpro was submitted to an online service. Therefore, Flagpro may have already been used for attacking cases at that point.
In July 2021, our SOC discovered a new Flagpro that was built with the MFC (Microsoft Foundation Class) library. For old Flagpro, the MFC library was not used. This Flagpro included classes like “CV20 LoaderApp” and “CV20 LoaderDlg.” We assume that Flagpro’s role is that of a downloader, and that the sample version was 2.0 based on the class names.
Following list indicates Flagpro’s main functions:
- Download and execute a tool
- Execute OS commands and send the results
- Collect and send Windows authentication information.
“In the v1.0 implementation, if a dialogue titled “Windows” appears when Flagpro accesses an external site, Flagpro automatically clicks the OK button to close the dialogue. This method also works when the dialogue is written in both Chinese and English. It may indicate that the targets are Japan, Taiwan, and English-speaking countries. As an added feature, Flagpro v2.0 checks whether both the username and password are entered in a dialogue before clicking the OK button.”
Finally concluded that ,” Since October 2020, we have observed Flagpro-based attacks against Japan. The attack techniques haven’t changed much, but BlackTech now employs more evasion techniques. For example, they adapt decoy files and file names to their target’s environment and carefully examine the target’s environment. They have recently begun to use new malwares known as “SelfMake Loader” and “Spider RAT.” This indicates that they are actively creating new malware. As a result, you must be aware of BlackTech’s attacks”.
Indicator of Compromise