No stranger to this blog, BlackTech has continued to modify techniques to compromise networks and even suffered an OPSEC slip in the way of an open directory.
This post will cover a malicious document similar to that identified by  PWC and  NTT in the previous reporting on the group. While I cannot definitively answer that the malicious executable recovered in this case is Flagpro, I would like to highlight some of the similarities and differences found in this sample.
An Empty Excel Doc
Filename: 2021-10工资中公积金问题咨询.xlsm (roughly translates to “Constitution on Provident Fund Issues in 2021-10 Salary”. Google Translate)
While there isn’t much in the way of a lure to entice the user to open the document, the title and delivery method would likely pique a user’s interest. Upon enabling content, a Windows executable named dwm.exe is dropped into the Startup folder which ensures persistence and is executed.
The malicious macros embedded in the Excel document are almost an exact copy of the code seen in the PWC report. Although the malicious executable is named dwm.exe, this isn’t the original name of the application as can be seen in Figure 2.
The Microsoft Foundation Class, or MFC is also heavily utilized in the dropped file. A number of the MFC libraries found running strings on this sample differed from previous reports on Flagpro.
Note the absence of the “CV20” prefixes in Figure 3 on the MFC classes, as reported by NTT Security. Previous reporting theorized that the CV20 served as the version number for Flagpro. This minor development change could have been in response to public reporting, or to different development practices.
In PWC’s VB 2021 localhost presentation, the mutex identified for Flagpro malware began with “71564__”. Mutexes associated with this sample are below.
While this is certainly not a smoking gun, these are somewhat interesting development changes to the malware.
Opening the executable in Ghidra, the command and control (C2) domain is broken up over three different variables, initialized in reverse order.
Additionally, the HTTP request headers and User-Agent were similarly hardcoded and pieced back together before making a request.
Utilizing MFC classes allows threat actors to wrap Windows APIs routinely linked to malware inside the MFC library. A majority of the suspicious code can be found in the DoModal function, which houses a number of calls linked to taking screenshots of the victim’s computer.
As identified in Figure 6, dwm.exe contacted the following domain:
- Registrar: TLDS L.L.C. d/b/a SRSPlus
- Resolving IP: 103.195.150[.]181
- Location: Hong Kong
- Organization: Cloudie Limited
If you have read prior reporting on BlackTech intrusion operations, the above domain naming scheme should come as no surprise. Like other threat actors, BlackTech tends to use software and security companies for their C2 domain naming. The threat actor has used some form of “centos” as a C2 domain on at least four different occasions.
According to PassiveDNS (pDNS) information, centos.onthewifi[.]com previously resolved to 172.104.109[.]217. Utilizing ZoomEye to investigate the previous IP, the same “Hello Boy” C2 response NTT-Security reported on is displayed. An additional response of “1” was also found at the same IP on port 80/https.
An additional domain possibly linked to the above is redhatstate.hopto[.]org which is also hosted at 103.195.150[.]181.
A special thanks to Twitter user, @500mk500 for noticing the above domain that matches previous BlackTech domain naming.
The above are not definitive links to BlackTech, however, I believe the similarities are strong enough to warrant attention and maybe a closer look by analysts. Changes in domain hosting should also be of interest to APT network infrastructure hunters, as this could be a change in technique or simply a new team has taken over procurement of network infrastructure. In any case, BlackTech remains an aggressive actor intent on cyber espionage in the APAC region.