The cyber espionage group APT (Advanced Persistent Threat) Blackwell has been focusing on Japanese firms with a brand new sort of malware that researchers name “Flag professional”. Second stage malware and run it.
Breaching company networks
The chain of an infection begins with a phishing e-mail that was developed for the goal group and pretends to be a message from a trusted associate.
The e-mail accommodates a password-protected ZIP or RAR attachment with a Microsoft Excel file [.XLSM] linked to a malicious macro. Running this code creates an executable file within the Flag professional house listing.
When it first runs, Flagpro connects to the C2 server over HTTP and sends the system identification particulars obtained by executing hard-coded working system instructions.
In response, the C2 can ship further instructions or a second-level payload that Flag professional can execute.
An instance of a despatched command Source: NTT Security
Communication between the 2 is base64 encoded, and there’s additionally a configurable delay between connections to keep away from creating an identifiable working mannequin.
Communication between Flagpro and the C2 Source: NTT Security
Flagpro has been used towards Japanese firms for greater than a 12 months, on the newest since October 2020, in accordance to a report by NTT Security.
The most up-to-date samples the researchers have been in a position to get hold of are from July 2021. The goal firms are from a wide range of industries, together with protection, media and communications know-how.
Flagpro v2.0
At some level of their evaluation, NTT researchers observed a brand new model of Flag professional that may mechanically shut related dialog packing containers to make exterior connections that would reveal their presence to the sufferer.
“In the Flag professional v1.0 implementation, if a dialog field titled ‘Windows セ キ ュ リ テ ィ’ seems when Flagpro is accessing an exterior website, Flagpro will mechanically click on the OK button to shut the dialog field” explains NTT Security report. “This dealing with additionally works if the dialog is written in Chinese or English signifies locations are in Japan, Taiwan, and English-speaking nations.
Inserted code serving as obfuscation in Flagpro v2.0 Source: NTT Security
Blackwell APT is a lesser recognized participant found by Trendier researchers in the summertime of 2017 and has partnered with China. His typical targets are in Taiwan, though he has sometimes focused firms in Japan and Hong Kong to steal know-how.
In February 2021, a report from Unit 42 linked Blackwell to Waterbear Flag professional, one other cyber espionage group believed to have the backing of the Chinese authorities like Apt, Black tech, Knowledge and Refinement to adapt their instruments to new studies like this one, Flag professional is probably going to be modified for extra stealth use.
As the NTT report concludes, “Recently they (Blackwell) began utilizing one other new malware known as Selfsame Loader and Spider RAT. “That means they’re actively growing new malware. Defenders ought to pay attention to the brand new indicators of publicity to new malware and observe all safety greatest practices to keep a robust protection towards refined threats like Blackwell.
Source: Bleeping Computer
