ESET releases details of TA410 APT group, including its cyberespionage TTPs and activity
ESET researchers have released a detailed profile of TA410 APT group, including its modus operandi and toolset that includes a new version of FlowCloud. The team also threw light on the very complex backdoor containing espionage capabilities. The TA410 cyberespionage umbrella group consists of three different teams using different toolsets, including the FlowCloud espionage backdoor. TA410 is loosely linked to APT10, known mostly for targeting US-based organizations in the utility sector, and diplomatic organizations in the Middle East and Africa.
The researchers believe that TA410 is composed of three different teams, using very similar tactics, techniques, and procedures (TTPs) but different toolsets and exiting from IP addresses located in three different districts, ESET researchers wrote in a company blog post. These teams, referred to as FlowingFrog, LookingFrog, and JollyFrog, have overlaps in TTPs, victimology, and network infrastructure, they added.
The data revealed that TA410 had access to the most recent known Microsoft Exchange remote code execution vulnerabilities, such as the ProxyLogon last March and ProxyShell in August.
Both these vulnerabilities have been flagged this week by global cybersecurity authorities as among the top 15 vulnerabilities that were routinely exploited by malicious hackers last year. The list of routinely exploited vulnerabilities included the Log4Shell vulnerability, the ProxyLogon vulnerabilities that affected Microsoft Exchange email servers, the ProxyShell vulnerabilities that also affect Microsoft Exchange email servers, and the vulnerability affecting Atlassian Confluence Server and Data Center.
ESET researchers found a new version of FlowCloud, a complex and modular C++ RAT (remote access trojans), which are malware designed to allow an attacker to remotely control an infected computer. It has several capabilities, including controlling connected microphones and triggering recording when sound levels above a specified threshold volume are detected. It also monitors clipboard events to steal clipboard content, tracks file system events to collect new and modified files, and controls attached camera devices to take pictures of the compromised computer’s surroundings.
“Initial access to targets is obtained by exploiting vulnerable internet-facing applications such as Microsoft Exchange, or by sending spearphishing emails with malicious attachments such as RTF documents created via the Royal Road builder,” according to the ESET researchers. “Even though the JollyFrog team uses generic tools, FlowingFrog and LookingFrog have access to complex implants such as FlowCloud and LookBack,” they added.
The LookBack backdoor utilized by TA410 uses a custom network protocol, which can function over HTTP or raw TCP, for C&C (command-and-control) server communications, according to ESET.
The first stage of the FlowCloud version identified by ESET researchers can check whether specific security software is installed on the machine it tries to compromise, but this isn’t implemented in the loaders we analyzed. “However, we found a custom AntivirusCheck class, which can check running processes against a hardcoded list of executable filenames from known security products, including ESET products. In case one of these products is detected, FlowCloud goes through its regular loading process and cancels the auto_start_after_install configuration value,” they added.
“Even though we believe that this version of FlowCloud is still undergoing development and testing, the cyberespionage capabilities of this version include the ability to collect mouse movements, keyboard activity, and clipboard content along with information about the current foreground window,” the ESET researchers said. This information can help attackers understand stolen data by contextualizing it, they added.
ESET researchers also found that FlowCloud can gather information about things happening around the victim’s computer by taking pictures using connected camera peripherals and recording audio using a computer’s microphone. “This latter function is triggered by any sound over a threshold of 65 decibels, which is in the upper range of normal conversation volume,” they added.
The FlowingFrog uses Royal Road RTF documents, a first-stage implant called Tendyron, and a very complex second-stage backdoor called FlowCloud. The LookingFrog uses a first-stage backdoor called X4, and LookBack as a second stage, while the JollyFrog uses only generic malware families such as Korplug (aka PlugX) and QuasarRAT. Part of the activity of this team was described by Fortinet, who attributed the activity to APT10. ESET researchers, however, believe this activity is different from the operations that APT10 (aka A41APT) has conducted recently.
FlowingFrog and LookingFrog ran a phishing campaign at the same time against the same targets, ESET said. “In ESET telemetry, we do not see any other overlap between these subgroups. We believe that these subgroups operate somewhat independently but that they may share intelligence requirements, an access team that runs their spearphishing campaigns, and also the team that deploys network infrastructure,” it added.
ESET identified that most TA410 targets are high-profile organizations in the diplomacy and education sectors, but we have also seen victims in the military sector, a manufacturing company in Japan, a mining company in India, and a charity in Israel. According to ESET telemetry, the victims are located in Africa, Asia, the Middle East, and Europe. Interestingly, there is no clear segmentation of the targeting (by sector or geography) among the different teams, they added.
An element worth mentioning is that TA410 targets foreign individuals in China. “In ESET telemetry, we have observed this as having happened at least twice: for instance, one victim is a French academic, and another is a member of a diplomatic mission of a South Asian country in China,” the post added.
Earlier this month, ESET researchers collaborated with CERT-UA to respond to a cyber incident affecting an energy provider in Ukraine. The Sandworm attackers are said to have attempted to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine. The attack used industrial control system (ICS)-capable malware and regular disk wipers for Windows, Linux, and Solaris operating systems.
Related
