A cyberespionage team called BlackTech is threatening some Asian countries, including Taiwan, Hong Kong, and Japan. While there is no proof of connection, the group is believed to be backed by the Chinese government. The group tries to gather information and steal tech from defense technologies, media, and communications.
The e-mail contains a RAR file contains an XLSM that contains a malicious macro
Malware is often carried by a password-protected RAR file to prevent security tools to read and detect
BlackTech uses malware called Flagpro for the first stage of the attack. Flagpro is delivered to the victim via an e-mail that looks pretty legit. An attachment is also included in the e-mail, a RAR or ZIP file, containing a Microsoft Excel file with an XLSM extension. The Excel file is infected with a malicious macro which creates an executable file in the Startup directory, where the executable files are automatically run at the start of Windows.
When the file runs with a usual Windows boot, it connects to the C2 server via HTTP and sends system ID details. Then, the C2 server sends back new commands or a new payload. The communication, which can simply become undetectable as patterns thanks to its configurable time delay, is encoded with Base64.
Flagpro is evolving
The researchers from NTT security have noticed a more advanced version of the malware mentioned above. The new version can automatically close the dialogs that may appear on the screen while trying to establish an external connection.
BlackTech group is not a recently-formed team. 4 years ago, TrendMicro published a paper explaining the group’s actions, tracing the pieces of evidence. The team constantly adjusts and evolves their attacks by their excellent knowledge, making them very difficult to detect.