Picus Labs has updated the Picus Threat Library with new attack methods for Flagpro malware of BlackTech.

BlackTech APT group

BlackTech (also known as Circuit Panda, Radio Panda, TEMP.Overboard, HUAPI, Palmerworm) is an APT group that has been conducting information theft and espionage operations targeting organizations in East Asia. The APT group was first observed in 2010 and they have been active since.

Flagpro malware was recently discovered by NTTSecurity and the malware is attributed to BlackTech [1].

What is Flagpro Trojan?

Flagpro is malware that collects information from the victim and executes commands in the victim’s environment. It targets Japan, Taiwan ,and English-speaking countries. When a victim is infected with Flagpro malware, the malware can do the following:

  • Download and execute a tool
  • Execute OS commands and send results
  • Collect and send Windows authentication information

Test your security controls against malware

MITRE ATT&CK Tactics and Techniques Used by Flagpro Malware

Initial Access

Flagpro is delivered using MITRE ATT&CK T1566.001 Phishing: SpearPhishing Attachment technique. The threat actors send the malware in a password-protected archive file via email. The password of the archive file is in the body of the email.

Execution

Execution of the malware uses MITRE ATT&CK T1204.002 User Execution: Malicious file technique and requires user interaction. The attachment in the threat actor’s email contains a .xlsm file which includes a malicious macro. When the victim opens the .xlsm file and activates the malicious macro, the malicious .exe file is created in the startup directory. This .exe file is generally named either “Flagpro.exe” or “dwm.exe”. 

Persistence

Flagpro uses MITRE ATT&CK T1037.005 Boot or Logon Initialization Scripts: Startup Items technique. The malware places its executable in the startup directory. This enables the executable to run automatically when the victim system is rebooted.

Defense Evasion

To avoid detection, Flagpro uses MITRE ATT&CK 1406 Obfuscated Files or Information technique. During its operations, the communication of the malware is encoded with Base64. 

Command and Control

Flagpro receives OS commands and malicious payloads from the threat actor’s command and control server using MITRE ATT&CK T1132.001 Data Encoding: Standard Encoding technique.

Exfiltration

Flagpro encodes the gathered information with Base64 and sends it as a HTTP request to the command and control server. This technique is called MITRE ATT&CK T1041 Exfiltration over C2 Channel. 

Attack Simulation

You can test your security controls against the Flagpro malware using the Picus Continuous Security Validation Platform. We advise you to simulate  Flagpro attacks and determine whether your security controls can prevent them or not. Picus Threat Library includes the following threats used in the Flagpro attack campaign of the BlackTech.

  • Flagpro Dropper used by BlackTech Threat Group .XLSX File Download
  • Flagpro Trojan used by BlackTech Threat Group .EXE File Download (4 variants)

Picus Threat Library also includes other malware threats of BlackTech:

  • BlackTech APT Group’s Plead Downloader Attack Scenario
  • Gh0stTimes RAT used by BlackTech Threat Group .EXE File Download (7 variants)
  • Plead Downloader used by BlackTech APT Group .EXE File Download (15 variants)

Indicators of Compromise (IOCs)

线路信息.xlsm

MD5: 8d3e29bd96352a306022393e94a7270b

SHA-1: 802e7e9bde53d254614268e4b78f03edb1db068d

SHA-256: ba27ae12e6f3c2c87fd2478072dfa2747d368a507c69cd90b653c9e707254a1d

 

Twunk_32.exe

MD5: fd695898fe6a205ccc86d920d8ec6a9b

SHA-1: f75a8b0e6af6a3447f1ea2f85089cfebaac7d936

SHA-256: 77680fb906476f0d84e15d5032f09108fdef8933bcad0b941c9f375fedd0b2c9

 

Twunk_32.exe

MD5: 8f7205aaf80ce4b5d0ee8f00369f301a

SHA-1: 401d3336eb33cf82eecb5df5c2ac6d5f7f78aa26

SHA-256: 655ca39beb2413803af099879401e6d634942a169d2f57eb30f96154a78b2ad5

 

Twunk_32.exe

MD5:  11746ae92be83ba28b05272fe03780d6

SHA-1: 7190a70241a58610a5f200daa253bc47b686a3d5

SHA-256: e197c583f57e6c560b576278233e3ab050e38aa9424a5d95b172de66f9cfe970

 

bfsvc.exe

MD5: 287d612e29b71c90aa54947313810a25

SHA-1: 8f35a9e70dbec8f1904991773f394cd4f9a07f5e

SHA-256: 54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b

Reference

[1] H. Hada, “Flagpro: The new malware used by BlackTech.” [Online]. Available: https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech.

*** This is a Security Bloggers Network syndicated blog from Resources authored by Hüseyin Can YÜCEEL. Read the original post at: https://www.picussecurity.com/resource/blog/flagpro-malware-of-blacktech-group

Tags: