FlagPro Malware

Flagpro is a new malware strain presumably deployed by a group of cybercriminals in the first stages of multi-level network reconnaissance attacks. Initially targeting Japan-based businesses, Flagpro penetrates networks to bring in and execute additional malware.

The infection vector used by BlackTech, the cybergang in charge of the attacks, is the good old phishing scam. Veiled under the guise of genuine-looking business correspondence, Flagpro arrives as a malware-laden macro file within an attached, password-protected Microsoft Excel file. When opened, the document executes Flagpro as a startup process. The latter sends system data to an external Command-and-Control (C&C) center and awaits further instructions.

Reportedly in circulation for more than a year now, Flagpro has existed in two versions, with minor code differences in between. Unlike v1.0, v2.0 auto-closes any dialog boxes that reveal its communication with the external C&C server. Since such contact occurs in English and Chinese predominantly, we assume that the BlackTech APT cybergang may have Chinese origins. What is more, BlackTech appears to have strong ties to the infamous WaterBear espionage team, also believed to have stemmed from China.

Given that there are two Flagpro versions, we cannot exclude the prospect of more variants coming in the immediate future. You’d better keep your anti-malware tools up and running to prevent any potential Flagpro infection from reaching your PC.