Flagpro

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

Flagpro is a malicious software (malware) used by threat actors to exploit and damage computer systems. The malware was first observed in attacks against Japan in October 2020, with new versions using the Microsoft Foundation Class (MFC) library identified by Security Operations Centers (SOCs) in July 2021. Typical attack chains involve spear-phishing emails containing backdoor-laden attachments. Once inside the system, Flagpro deploys other malware designed to harvest sensitive data, including a downloader known as BTSDoor. Flagpro is placed in the startup directory as “dwm.exe” and is executed when the system launches next time. It communicates with a Command & Control (C&C) server, receiving commands or downloading and executing second-stage malware. The threat actor behind Flagpro leverages custom, regularly updated malware and remote access trojans (RATs), such as BendyBear, FakeDead, and FlagPro itself. They also use dual-use tools and living-off-the-land tactics, such as disabling logging on routers, to conceal their operations. BlackTech, the group associated with these attacks, also manipulates Windows utilities for its own purposes. When Flagpro accesses an external site, if a dialog title is “Internet Explorer [7-11]”, it sends a WM_CLOSE message to close the dialog, further demonstrating its ability to manipulate the host environment. For network detection, Flagpro’s characteristic URL paths, like index.htmld?flag=[Base64 string] and index.htmld?flagpro=[Base64 string], are useful indicators. Flagpro communicates with its C&C server using HTTP and can download and execute files based on the commands received. As of July 2021, SOCs have observed unusual responses such as “Hello Boy!” from the C&C server when accessing arbitrary paths. The exact purpose of this response remains unknown, illustrating the ongoing development and evolution of this malware threat.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Phishing

Malware

Windows

Exploit

Backdoor

Downloader

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
BendyBear	Unspecified	2	BendyBear is a sophisticated x64 shellcode malware that requires loader or code injection for deployment. It contains advanced features not typically found in shellcode, making it a potent threat to computer systems. BendyBear, along with other specific malware strains such as Bifrose, SpiderPig, an
Fakedead	Unspecified	1	FakeDead, also known as TSCookie, is a potent malware that has been linked to a series of backdoors including BendyBear, BIFROSE (or Bifrost), Consock, KIVARS, PLEAD, XBOW, and Waterbear (also known as DBGPRINT). This malicious software infiltrates systems typically through suspicious downloads, ema
TSCookie	Unspecified	1	TSCookie is a malware that has been associated with various backdoors such as BendyBear, BIFROSE (Bifrost), Consock, KIVARS, PLEAD, XBOW, and Waterbear (DBGPRINT). It's also known as FakeDead and is used in conjunction with other tools like BendyBear and Flagpro by BlackTech, an advanced persistent

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
BlackTech	Unspecified	2	BlackTech is a threat actor, or a group responsible for carrying out malicious cyber activities. Known for its links to China, BlackTech focuses on gathering intelligence from technology and government organizations, predominantly in the Asia-Pacific region. This group has shown a high degree of sop

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Flagpro Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	10 months ago	Chinese 'BlackTech' hackers backdoor Cisco routers to breach orgs in the US, Japan
CERT-EU	10 months ago	China's BlackTech Hacking Group Exploited Routers to Target U.S. and Japanese Companies
BankInfoSecurity	10 months ago	Chinese Hackers Target Routers in IP Theft Campaign
MITRE	a year ago	Flagpro: The new malware used by BlackTech (via Passle)