BlackTech - "Flagpro"

Industry: N/A | Level: Operational | Source: NTTSecurity

Threat Actor Group - "BlackTech" has been observed by NTT Security utilizing a new malware called "Flagpro," actively targeting Japanese companies. The malware is used in the initial stages of the attack, dropped through spear-phishing emails in a zip attachment containing a malicious Excel document with a macro. Following macro execution, the Flagpro exe is dropped into the startup directly where it executes on the next system launch. The malware communicates with the C2 server through base64 encoded traffic, with additional functions including the ability to download additional tools, execute OS commands and collect and send Windows authentication information. If the attacker identifies the compromised Flagpro host to be compatible, they'll proceed in downloading the second stage malware.

• Anvilogic Scenario: BlackTech - FlagPro - Behaviors