Flagpro

Malware updated 4 months ago (2024-05-04T18:29:27.458Z)

Download STIX

Preview STIX

Flagpro is a malicious software (malware) used by threat actors to exploit and damage computer systems. The malware was first observed in attacks against Japan in October 2020, with new versions using the Microsoft Foundation Class (MFC) library identified by Security Operations Centers (SOCs) in July 2021. Typical attack chains involve spear-phishing emails containing backdoor-laden attachments. Once inside the system, Flagpro deploys other malware designed to harvest sensitive data, including a downloader known as BTSDoor. Flagpro is placed in the startup directory as “dwm.exe” and is executed when the system launches next time. It communicates with a Command & Control (C&C) server, receiving commands or downloading and executing second-stage malware. The threat actor behind Flagpro leverages custom, regularly updated malware and remote access trojans (RATs), such as BendyBear, FakeDead, and FlagPro itself. They also use dual-use tools and living-off-the-land tactics, such as disabling logging on routers, to conceal their operations. BlackTech, the group associated with these attacks, also manipulates Windows utilities for its own purposes. When Flagpro accesses an external site, if a dialog title is “Internet Explorer [7-11]”, it sends a WM_CLOSE message to close the dialog, further demonstrating its ability to manipulate the host environment. For network detection, Flagpro’s characteristic URL paths, like index.htmld?flag=[Base64 string] and index.htmld?flagpro=[Base64 string], are useful indicators. Flagpro communicates with its C&C server using HTTP and can download and execute files based on the commands received. As of July 2021, SOCs have observed unusual responses such as “Hello Boy!” from the C&C server when accessing arbitrary paths. The exact purpose of this response remains unknown, illustrating the ongoing development and evolution of this malware threat.

Description last updated: 2024-05-04T16:41:26.406Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Windows

Phishing

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
BendyBear	Unspecified	2	BendyBear is a sophisticated x64 shellcode malware that requires loader or code injection for deployment. It contains advanced features not typically found in shellcode, making it a potent threat to computer systems. BendyBear, along with other specific malware strains such as Bifrose, SpiderPig, an

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
BlackTech	Unspecified	2	BlackTech, a China-linked Advanced Persistent Threat (APT) group, poses a significant cybersecurity threat due to its sophisticated and covert hacking activities. As a threat actor, BlackTech's operations involve executing actions with malicious intent, which can be attributed to individuals, privat

Source Document References

Information about the Flagpro Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Chinese 'BlackTech' hackers backdoor Cisco routers to breach orgs in the US, Japan
CERT-EU	a year ago	China's BlackTech Hacking Group Exploited Routers to Target U.S. and Japanese Companies
BankInfoSecurity	a year ago	Chinese Hackers Target Routers in IP Theft Campaign
MITRE	2 years ago	Flagpro: The new malware used by BlackTech (via Passle)