Malware Profile Updated 25 days ago
Download STIX
Preview STIX
Flagpro is a malicious software (malware) used by threat actors to exploit and damage computer systems. The malware was first observed in attacks against Japan in October 2020, with new versions using the Microsoft Foundation Class (MFC) library identified by Security Operations Centers (SOCs) in July 2021. Typical attack chains involve spear-phishing emails containing backdoor-laden attachments. Once inside the system, Flagpro deploys other malware designed to harvest sensitive data, including a downloader known as BTSDoor. Flagpro is placed in the startup directory as “dwm.exe” and is executed when the system launches next time. It communicates with a Command & Control (C&C) server, receiving commands or downloading and executing second-stage malware. The threat actor behind Flagpro leverages custom, regularly updated malware and remote access trojans (RATs), such as BendyBear, FakeDead, and FlagPro itself. They also use dual-use tools and living-off-the-land tactics, such as disabling logging on routers, to conceal their operations. BlackTech, the group associated with these attacks, also manipulates Windows utilities for its own purposes. When Flagpro accesses an external site, if a dialog title is “Internet Explorer [7-11]”, it sends a WM_CLOSE message to close the dialog, further demonstrating its ability to manipulate the host environment. For network detection, Flagpro’s characteristic URL paths, like index.htmld?flag=[Base64 string] and index.htmld?flagpro=[Base64 string], are useful indicators. Flagpro communicates with its C&C server using HTTP and can download and execute files based on the commands received. As of July 2021, SOCs have observed unusual responses such as “Hello Boy!” from the C&C server when accessing arbitrary paths. The exact purpose of this response remains unknown, illustrating the ongoing development and evolution of this malware threat.
What's your take? (Question 1 of 4)
a9af1ab5-f6df-4ad9-a4d0-5b429dd517ec Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BendyBear is a sophisticated x64 shellcode malware that requires loader or code injection for deployment. It contains advanced features not typically found in shellcode, making it a potent threat to computer systems. BendyBear, along with other specific malware strains such as Bifrose, SpiderPig, an
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BlackTech, a China-linked Advanced Persistent Threat (APT) group, is a significant cybersecurity concern due to its sophisticated techniques and targeted attacks. This threat actor primarily focuses on infiltrating technology and government organizations in the Asia-Pacific region, using a malware f
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Flagpro Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
a year ago
Flagpro: The new malware used by BlackTech (via Passle)
8 months ago
Chinese 'BlackTech' hackers backdoor Cisco routers to breach orgs in the US, Japan
8 months ago
China's BlackTech Hacking Group Exploited Routers to Target U.S. and Japanese Companies
8 months ago
Chinese Hackers Target Routers in IP Theft Campaign