Keep up to date with latest blog posts
Picus Labs has updated the Picus Threat Library with new attack methods for Flagpro malware of BlackTech.
BlackTech APT group
BlackTech (also known as Circuit Panda, Radio Panda, TEMP.Overboard, HUAPI, Palmerworm) is an APT group that has been conducting information theft and espionage operations targeting organizations in East Asia. The APT group was first observed in 2010 and they have been active since.
Flagpro malware was recently discovered by NTTSecurity and the malware is attributed to BlackTech .
What is Flagpro Trojan?
Flagpro is malware that collects information from the victim and executes commands in the victim’s environment. It targets Japan, Taiwan ,and English-speaking countries. When a victim is infected with Flagpro malware, the malware can do the following:
- Download and execute a tool
- Execute OS commands and send results
- Collect and send Windows authentication information
MITRE ATT&CK Tactics and Techniques Used by Flagpro Malware
Flagpro is delivered using MITRE ATT&CK T1566.001 Phishing: SpearPhishing Attachment technique. The threat actors send the malware in a password-protected archive file via email. The password of the archive file is in the body of the email.
Execution of the malware uses MITRE ATT&CK T1204.002 User Execution: Malicious file technique and requires user interaction. The attachment in the threat actor’s email contains a .xlsm file which includes a malicious macro. When the victim opens the .xlsm file and activates the malicious macro, the malicious .exe file is created in the startup directory. This .exe file is generally named either “Flagpro.exe” or “dwm.exe”.
Flagpro uses MITRE ATT&CK T1037.005 Boot or Logon Initialization Scripts: Startup Items technique. The malware places its executable in the startup directory. This enables the executable to run automatically when the victim system is rebooted.
To avoid detection, Flagpro uses MITRE ATT&CK 1406 Obfuscated Files or Information technique. During its operations, the communication of the malware is encoded with Base64.
Command and Control
Flagpro receives OS commands and malicious payloads from the threat actor’s command and control server using MITRE ATT&CK T1132.001 Data Encoding: Standard Encoding technique.
Flagpro encodes the gathered information with Base64 and sends it as a HTTP request to the command and control server. This technique is called MITRE ATT&CK T1041 Exfiltration over C2 Channel.
You can test your security controls against the Flagpro malware using the Picus Continuous Security Validation Platform. We advise you to simulate Flagpro attacks and determine whether your security controls can prevent them or not. Picus Threat Library includes the following threats used in the Flagpro attack campaign of the BlackTech.
- Flagpro Dropper used by BlackTech Threat Group .XLSX File Download
- Flagpro Trojan used by BlackTech Threat Group .EXE File Download (4 variants)
Picus Threat Library also includes other malware threats of BlackTech:
- BlackTech APT Group's Plead Downloader Attack Scenario
- Gh0stTimes RAT used by BlackTech Threat Group .EXE File Download (7 variants)
- Plead Downloader used by BlackTech APT Group .EXE File Download (15 variants)
Indicators of Compromise (IOCs)
 H. Hada, “Flagpro: The new malware used by BlackTech.” [Online]. Available: https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech.