Flagpro Malware Discovered on Japanese Company Networks
In the last days of 2021, security researchers have identified a new malware family, which is being used in attacks against Japanese companies. The like culprit of these attacks is the Advanced Persistent Threat (APT) group tracked under the alias BlackTech. They specialize in espionage, and their latest implant goes by the name Flagpro.
The Flagpro Malware is delivered to victims through phishing emails, which appear to be customized for each victim. The criminals are pretending to send the messages from trustworthy partners, therefore improving the chances that victims will end up in interacting with the message. The bogus email contains a password-protected archive, which is supposed to contain important content. However, victims who open it will see an XLSM document, which delivers the Flagpro Malware through the clever use of macro scripts.
If the macro is executed successfully, the Flagpro Malware payload will be dropped in the startup directory of Windows, therefore gaining persistence. The threat then connects to a remote server through the HTTP protocol, and sends some basic information about the victim's machine. The criminals can then use the Flagpro Malware to execute commands remotely, or to deliver additional payloads.
The first variants of the Flagpro Malware date back to June 2020, and it appears that the criminals have released several updates since then. One of the latest variant is able to automatically close Windows dialogs that the implant's activity could spawn and reveal its presence. Allegedly, it is able to detect the specific dialogue names in Japan, Taiwan, Chinese, and English – this is likely to mean that the Flagpro Malware is about to attack other countries as well. The best way to protect networks and systems against BlackTech attacks is to invest in enhanced security measures, as well as to ensure that all employees are familiar with the primary malware propagation mechanisms cybercriminals use. A previous BlackTech implant family is the Gh0stTimes Malware.