The BlackTech APT group, which is allegedly a Chinese state-backed threat actor, was found targeting Japanese organizations using a new malware named Flagpro.

What do we know?

  • According to the researchers from NTT Security, the attackers have been using Flagpro malware to target multiple Japanese firms across the defense, communications, and media industries.
  • Moreover, researchers observed the use of dialog written in English and Chinese language, indicating that besides targeting Japan and Taiwan, it could be targeting English-speaking countries as well.

The Flagpro malware

BlackTech is using Flagpro malware during the initial stage of the attack, for network reconnaissance activities, such as exploring the target environment as well as for downloading and executing other malware.
  • The attack begins with a spear-phishing email, which is customized for the targeted organizations and pretends to be some communication from their business partner.
  • The email includes a password-protected ZIP or RAR attachment, for which the password is provided in the email body. The archive contains a Microsoft Excel file with an embedded malicious macro.
  • Upon execution, this macro code creates an executable file (dwm.exe) in the startup directory, which is the Flagpro malware.

Additional insights

The first sample of the Flagpro was submitted to an online service in October 2020.
  • Moreover, researchers observed another recent variant of the malware (Flagpro v2.0) in July 2021, that is deployed via the Microsoft Foundation Class library.
  • Besides, researchers have also observed BlackTech using new malware called Spider RAT and SelfMake Loader. Not many details could be found about them in the report.

Ending notes

BlackTech APT is continuously developing new malware, including Flagpro, and enhancing its stealing capabilities. Therefore, organizations are recommended to further strengthen their defenses, and keep noting and sharing the relevant IOCs for such sophisticated threats.

Cyware Publisher