Flagpro

A sophisticated hacking group tied to the government of China is exploiting routers in attacks on a variety of organizations... The group specifically targets “branch routers” — smaller appliances used at more remote branch offices to connect to a corporate headquarters.

An attack case using Flagpro starts with a spear phishing e-mail. The message is adjusted to its target organization... The attackers attach a password protected archived file (ZIP or RAR) to the email... The archived file includes an xlsm format file and it contains a malicious macro.

Following list indicates Flagpro’s main functions: ... Execute OS commands and send the results

The archived file includes an xlsm format file and it contains a malicious macro. If a user activates the macro, a malware will be dropped.

The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.

The archived file includes an xlsm format file and it contains a malicious macro. If a user activates the macro, a malware will be dropped.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders.

Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders.

The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.

"Bumblebee has been delivered as password-protected zipped ISO files" / "Flagpro has been delivered within ZIP or RAR password-protected archived files." / "TA505 has password-protected malicious Word documents."

In the most cases, this created EXE files are named “dwm.exe”.

In Flagpro v2.0, the same codes... are repeatedly inserted to hide important as a handy obfuscation technique.

Flagpro can close specific Windows Security and Internet Explorer dialog boxes to mask external connections.

Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network.

The content references collection of credential material from local systems, including "Bumblebee can capture and compress stolen credentials from the Registry and volume shadow copies," "GALLIUM collected ... password hashes from the SAM hive in the Registry," and "Windigo has used a script to gather credentials in files left on disk by OpenSSH backdoors."

Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network.

Multiple malware families are described as identifying/enumerating open windows or capturing foreground window titles (e.g., via EnumWindows, GetForegroundWindow, GetWindowText) to understand user activity and provide context for keylogging/screencapture.

The content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.

During the 2015 Ukraine Electric Power Attack, Sandworm Team remotely discovered systems over LAN connections. OT systems were visible from the IT network as well, giving adversaries the ability to discover operational assets.

Flagpro v2.0 checks whether both username and password are filled in a dialog as an additional feature before clicking the OK button.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

Avaddon checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities... Bazar can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian... Clop has checked the keyboard language using the GetKeyboardLayout() function... Ryuk has been observed to query the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language and the value InstallLanguage.

The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.

Flagpro communicates with C&C server using HTTP.

Flagpro is used in the initial stage of attacks to investigate target’s environment, download a second stage malware and execute it... Regarding to downloading and executing a tool, Flagpro stores the downloaded file in file path “%Temp%\~MY[0-9A-F].tmp” first. Then, Flagpro adds extension “.exe” to the name of stored file and executes the file.

The received commands from a C&C server are encoded with Base64... It encodes data with Base64 and sends to the C&C server.

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.

Flagpro can close specific Windows Security and Internet Explorer dialog boxes to mask external connections. ... HermeticWiper can disable pop-up information about folders and desktop items...