Researchers have noticed that the APT group dubbed BlackTech started to target Japanese organizations in a malicious campaign that employs the Flagpro malware.
How the Attack Unfolds
NTT researchers published a report about this topic. According to them, the initial stage of the cyberattack involves BlackTech leveraging Flagpro malware. This focuses on activities like network reconnaissance and some examples here could be: the target environment exploration, or the download and execution of other malware.
Hackers use a spear-phishing email which comes in the form of a customized message to begin the cyberattack, impersonating a business partner communication of the targeted companies.
Within the email, a RAR or a password-protected ZIP attachment can be found with the email body including the required password. The mentioned archive encompasses a compromised Microsoft Excel file containing an entrenched malicious macro.
An executable file (dwm.exe) is produced by the macro code in the startup directory after it’s installed. This executable file stands for none other than the Flagpro malware.
The attackers attach a password protected archived file (ZIP or RAR) to the email, and they write its password in the message. The archived file includes an xlsm format file and it contains a malicious macro. If a