Flagpro

Malware updated 23 days ago (2024-11-29T14:19:27.366Z)
Download STIX
Preview STIX
Flagpro is a malicious software (malware) used by threat actors to exploit and damage computer systems. The malware was first observed in attacks against Japan in October 2020, with new versions using the Microsoft Foundation Class (MFC) library identified by Security Operations Centers (SOCs) in July 2021. Typical attack chains involve spear-phishing emails containing backdoor-laden attachments. Once inside the system, Flagpro deploys other malware designed to harvest sensitive data, including a downloader known as BTSDoor. Flagpro is placed in the startup directory as “dwm.exe” and is executed when the system launches next time. It communicates with a Command & Control (C&C) server, receiving commands or downloading and executing second-stage malware. The threat actor behind Flagpro leverages custom, regularly updated malware and remote access trojans (RATs), such as BendyBear, FakeDead, and FlagPro itself. They also use dual-use tools and living-off-the-land tactics, such as disabling logging on routers, to conceal their operations. BlackTech, the group associated with these attacks, also manipulates Windows utilities for its own purposes. When Flagpro accesses an external site, if a dialog title is “Internet Explorer [7-11]”, it sends a WM_CLOSE message to close the dialog, further demonstrating its ability to manipulate the host environment. For network detection, Flagpro’s characteristic URL paths, like index.htmld?flag=[Base64 string] and index.htmld?flagpro=[Base64 string], are useful indicators. Flagpro communicates with its C&C server using HTTP and can download and execute files based on the commands received. As of July 2021, SOCs have observed unusual responses such as “Hello Boy!” from the C&C server when accessing arbitrary paths. The exact purpose of this response remains unknown, illustrating the ongoing development and evolution of this malware threat.
Description last updated: 2024-05-04T16:41:26.406Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Windows
Phishing
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The BendyBear Malware is associated with Flagpro. BendyBear is a sophisticated x64 shellcode malware that requires loader or code injection for deployment. It contains advanced features not typically found in shellcode, making it a potent threat to computer systems. BendyBear, along with other specific malware strains such as Bifrose, SpiderPig, anUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The BlackTech Threat Actor is associated with Flagpro. BlackTech, a China-linked Advanced Persistent Threat (APT) group, poses a significant cybersecurity threat due to its sophisticated and covert hacking activities. As a threat actor, BlackTech's operations involve executing actions with malicious intent, which can be attributed to individuals, privatUnspecified
2
Source Document References
Information about the Flagpro Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more