Flagpro

Flagpro is a malicious software (malware) used by threat actors to exploit and damage computer systems. The malware was first observed in attacks against Japan in October 2020, with new versions using the Microsoft Foundation Class (MFC) library identified by Security Operations Centers (SOCs) in July 2021. Typical attack chains involve spear-phishing emails containing backdoor-laden attachments. Once inside the system, Flagpro deploys other malware designed to harvest sensitive data, including a downloader known as BTSDoor. Flagpro is placed in the startup directory as “dwm.exe” and is executed when the system launches next time. It communicates with a Command & Control (C&C) server, receiving commands or downloading and executing second-stage malware. The threat actor behind Flagpro leverages custom, regularly updated malware and remote access trojans (RATs), such as BendyBear, FakeDead, and FlagPro itself. They also use dual-use tools and living-off-the-land tactics, such as disabling logging on routers, to conceal their operations. BlackTech, the group associated with these attacks, also manipulates Windows utilities for its own purposes. When Flagpro accesses an external site, if a dialog title is “Internet Explorer [7-11]”, it sends a WM_CLOSE message to close the dialog, further demonstrating its ability to manipulate the host environment. For network detection, Flagpro’s characteristic URL paths, like index.htmld?flag=[Base64 string] and index.htmld?flagpro=[Base64 string], are useful indicators. Flagpro communicates with its C&C server using HTTP and can download and execute files based on the commands received. As of July 2021, SOCs have observed unusual responses such as “Hello Boy!” from the C&C server when accessing arbitrary paths. The exact purpose of this response remains unknown, illustrating the ongoing development and evolution of this malware threat.