1. Home
  2. Software
  3. Flagpro

Flagpro

Flagpro is a Windows-based, first-stage downloader that has been used by BlackTech since at least October 2020. It has primarily been used against defense, media, and communications companies in Japan.[1]

ID: S0696
Type: MALWARE
Platforms: Windows
Contributors: Hannah Simes, BT Security
Version: 1.0
Created: 25 March 2022
Last Modified: 04 September 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

Flagpro can collect data from a compromised host, including Windows authentication information.[1]
Enterprise T1036 伪装

Flagpro can download malicious files with a .tmp extension and append them with .exe prior to execution.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Flagpro has dropped an executable file to the startup directory.[1]

Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Flagpro can use cmd.exe to execute commands received from C2.[1]
.005 命令与脚本解释器: Visual Basic

Flagpro can execute malicious VBA macros embedded in .xlsm files.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

Flagpro can communicate with its C2 using HTTP.[1]

Enterprise T1010 应用窗口发现

Flagpro can check the name of the window displayed on the system.[1]

Enterprise T1132 .001 数据编码: Standard Encoding

Flagpro has encoded bidirectional data communications between a target system and C2 server using Base64.[1]

Enterprise T1106 本机API

Flagpro can use Native API to enable obfuscation including GetLastError and GetTickCount.[1]
Enterprise T1069 .001 权限组发现: Local Groups

Flagpro has been used to execute the net localgroup administrators command on a targeted system.[1]
Enterprise T1027 混淆文件或信息

Flagpro has been delivered within ZIP or RAR password-protected archived files.[1]
Enterprise T1204 .002 用户执行: Malicious File

Flagpro has relied on users clicking a malicious attachment delivered through spearphishing.[1]
Enterprise T1070 移除指标

Flagpro can close specific Windows Security and Internet Explorer dialog boxes to mask external connections.[1]
Enterprise T1614 .001 系统位置发现: System Language Discovery

Flagpro can check whether the target system is using Japanese, Taiwanese, or English through detection of specific Windows Security and Internet Explorer dialog.[1]

Enterprise T1033 系统所有者/用户发现

Flagpro has been used to run the whoami command on the system.[1]
Enterprise T1049 系统网络连接发现

Flagpro has been used to execute netstat -ano on a compromised host.[1]
Enterprise T1016 系统网络配置发现

Flagpro has been used to execute the ipconfig /all command on a victim system.[1]
Enterprise T1135 网络共享发现

Flagpro has been used to execute net view to discover mapped network shares.[1]
Enterprise T1105 输入工具传输

Flagpro can download additional malware from the C2 server.[1]
Enterprise T1057 进程发现

Flagpro has been used to run the tasklist command on a compromised system.[1]
Enterprise T1018 远程系统发现

Flagpro has been used to execute net view on a targeted system.[1]

Enterprise T1041 通过C2信道渗出

Flagpro has exfiltrated data to the C2 server.[1]

Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Flagpro has been distributed via spearphishing as an email attachment.[1]
Enterprise T1029 预定传输

Flagpro has the ability to wait for a specified time interval between communicating with and executing commands from C2.[1]

Groups That Use This Software

ID Name References
G0098 BlackTech

[1]

References

  1. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.