Picus Labs has updated the Picus Threat Library with new attack methods for Flagpro malware of BlackTech.
BlackTech, also tracked as Circuit Panda, Radio Panda, TEMP.Overboard, HUAPI, and Palmerworm, is an APT group focused on espionage and data theft against organizations in East Asia. First observed in 2010, the group remains active.
Flagpro malware was recently discovered by NTTSecurity and the malware is attributed to BlackTech [1].
Flagpro is malware that collects information from the victim and executes commands in the victim’s environment. It targets Japan, Taiwan ,and English-speaking countries. When a victim is infected with Flagpro malware, the malware can do the following:
Test your Security Controls Against Malware Now
Flagpro is delivered using MITRE ATT&CK T1566.001 Phishing: SpearPhishing Attachment technique. The threat actors send the malware in a password-protected archive file via email. The password of the archive file is in the body of the email.
Execution of the malware uses MITRE ATT&CK T1204.002 User Execution: Malicious file technique and requires user interaction. The attachment in the threat actor’s email contains a .xlsm file which includes a malicious macro. When the victim opens the .xlsm file and activates the malicious macro, the malicious .exe file is created in the startup directory. This .exe file is generally named either “Flagpro.exe” or “dwm.exe”.
Flagpro uses MITRE ATT&CK T1037.005 Boot or Logon Initialization Scripts: Startup Items technique. The malware places its executable in the startup directory. This enables the executable to run automatically when the victim system is rebooted.
To avoid detection, Flagpro uses MITRE ATT&CK 1406 Obfuscated Files or Information technique. During its operations, the communication of the malware is encoded with Base64.
Flagpro receives OS commands and malicious payloads from the threat actor’s command and control server using MITRE ATT&CK T1132.001 Data Encoding: Standard Encoding technique.
Flagpro encodes the gathered information with Base64 and sends it as a HTTP request to the command and control server. This technique is called MITRE ATT&CK T1041 Exfiltration over C2 Channel.
You can test your security controls against the Flagpro malware using the Picus Continuous Security Validation Platform. We advise you to simulate Flagpro attacks and determine whether your security controls can prevent them or not. Picus Threat Library includes the following threats used in the Flagpro attack campaign of the BlackTech.
Picus Threat Library also includes other malware threats of BlackTech:
线路信息.xlsm
MD5: 8d3e29bd96352a306022393e94a7270b
SHA-1: 802e7e9bde53d254614268e4b78f03edb1db068d
SHA-256: ba27ae12e6f3c2c87fd2478072dfa2747d368a507c69cd90b653c9e707254a1d
Twunk_32.exe
MD5: fd695898fe6a205ccc86d920d8ec6a9b
SHA-1: f75a8b0e6af6a3447f1ea2f85089cfebaac7d936
SHA-256: 77680fb906476f0d84e15d5032f09108fdef8933bcad0b941c9f375fedd0b2c9
Twunk_32.exe
MD5: 8f7205aaf80ce4b5d0ee8f00369f301a
SHA-1: 401d3336eb33cf82eecb5df5c2ac6d5f7f78aa26
SHA-256: 655ca39beb2413803af099879401e6d634942a169d2f57eb30f96154a78b2ad5
Twunk_32.exe
MD5: 11746ae92be83ba28b05272fe03780d6
SHA-1: 7190a70241a58610a5f200daa253bc47b686a3d5
SHA-256: e197c583f57e6c560b576278233e3ab050e38aa9424a5d95b172de66f9cfe970
bfsvc.exe
MD5: 287d612e29b71c90aa54947313810a25
SHA-1: 8f35a9e70dbec8f1904991773f394cd4f9a07f5e
SHA-256: 54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b
[1] H. Hada, “Flagpro: The new malware used by BlackTech.” [Online]. Available: https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech.