A threat group responsible for sophisticated cyber-espionage attacks against US utilities is actually comprised of 3 subgroups, all with their own toolsets & targets, which have been operating globally since 2018, researchers have found.
TA410 is a cyber-espionage umbrella group loosely linked to APT10, a group tied to China’s Ministry of State Security.
The group is known not only for targeting US organisations in the utilities sector, but also diplomatic organisations in the ME & Africa, according to a report published this week by researchers at security firm ESET.
Though it’s apparently been active since 2018, TA410 1st came up on researchers’ radar in 2019, when Proofpoint uncovered a phishing campaign targeting 3 US companies in the utilities sector that used a new malware then called Look Back.
About 1 year later, the threat group resurfaced by using a sophisticated RAT against Windows targets in the US’ utilities sector. called Flow Cloud & believed to be the evolution of Lookback, the RAT can access installed applications & control the keyboard, mouse, screen, files, services & processes of an infected computer.
The tool also can exfiltrate information to a command-&-control (C2) provider.
Now ESET researchers have found that TA410 is not 1 but actually 3 sub-groups of threat players—Flowing Frog, Looking Frog & Jolly Frog—each “using very similar tactics, techniques, & procedures (TTPs) but different toolsets & exiting from IP addresses located in 3 different districts,” researchers Alexandre Côté Cyr & Matthieu Faou wrote in the report.
The teams have overlaps in TTPs, victimology & network infrastructure, & they compromise global targets—primarily govt. or education organisations–in many ways, indicating that victims are targeted specifically, “with the attackers choosing which entry method has the best chance of infiltrating the target,” researchers stated.
Those ways include a latest version of Flow Cloud as well as access to the most recently known Microsoft Exchange remote code execution vulnerabilities, Proxy Logon and Proxy Shell, among other tools—both custom & generic—that are specific to each group, researchers found.
Researchers analysed the activity of each sub-group, including which tools they use & what type of victims they target. They also identified ‘overlap’ in which the players work together.
Flowing Frog shares network infrastructure—specifically, the domain ffca.caibi379[.]com—with Jolly Frog. It also ran the phishing campaign uncovered by Proofpoint in 2019 together with Looking Frog, researchers found.
The subgroup has its own specific mode of attack & has launched campaigns against specific targets–namely universities, the foreign diplomatic mission of a S. Asian country in China & a mining company in India, researchers discovered.
Flowing Frog uses a 1st stage that ESET researchers have named the Tendyron downloader, & then Flow Cloud as a 2nd stage they explained.
“Tendyron.exe is a legitimate executable, signed by online-banking security vendor Tendyron Corporation, & that is vulnerable to DLL search-order hijacking,” researchers explained.
Flowing Frog also uses Royal Road, a malicious document builder used by several cyber-espionage groups that builds RTF documents exploiting Equation Editor N-day vulnerabilities such as CVE-2017-11882, researchers outlined.
Looking Frog typically targets diplomatic missions, charity organisations & entities in govt. & industrial manufacturing using 2 main malware families: X4 & Look Back.
X4 is a custom backdoor that is used as a 1st stage before Look Back is deployed researchers explained. The backdoor is loaded by a VMProtect-ed loader, usually named PortableDeviceApi.dll or WptsExtensions.dll.
Written in C++
Look Back is a RAT written in C++ that relies on a proxy communication tool to relay data from the infected host to the command-&-control server (C2). The malware has capabilities to view process, system & file data; delete files; take screenshots; move & click the infected system’s mouse; reboot machines; & delete itself from an infected host.
Look Back is comprised of several components, including a C2 proxy tool, a malware loader, a communications module to create the C2 channel with the GUP proxy tool, & a RAT component to decode the initial beacon response received from the GUP proxy tool.
The 3rd & final team of TA410, Jolly Frog, targets organisations in education, religion, & the military as well as those with diplomatic missions, researchers found. Rather than use custom tools, the group exclusively uses ‘generic,’ off-the-shelf malware from known families Quasar RAT & Korplug, aka PlugX.
Quasar RAT is a fully featured backdoor freely available on GitHub & is a popular tool used by cyber-espionage & cyber-crime threat players; researchers stated.
It’s been previously used in a phishing campaign targeting companies with fake job-seeker Microsoft Word resumes & a 2019 APT10 malicious cyber campaign against govt. & private organisations in SE Asia.
Korplug is a backdoor that that also has been used for years by various cyber-espionage groups & remains a popular tool. Last month, China’s Mustang Panda/TA416/Red Delta used Korplug in an espionage campaign against diplomatic missions, research entities & internet service providers (ISPs) in & around SE Asia.
TA410 typically uses Korplug as a RARSFX archive, generally named m.exe & containing 3 files: qrt.dll, acustom loader; qrtfix.exe, a legitimate signed application from F-Secure, vulnerable to DLL search-order hijacking; & qrt.dll.usb: the Korplug shellcode.
“The loader allocates memory using VirtualAlloc & copies the content of qrt.dll.usb there,” researchers explained. “Then it jumps right into the shellcode that will decompress & load the Korplug payload.”
Updated Version of Flow Cloud
ESET researchers also took a look at an updated version of Flow Cloud currently being used by TA410.
Flow Cloud is a complex implant written in C++ comprised of 3 main components—a rootkit functionality, a simple persistence module & a custom backdoor–deployed in a multistage process that uses various obfuscation and encryption techniques to hinder analysis.
While Proofpoint researchers previously analysed Flow Cloud versions 4.1.3 and 5.0.1, TA410 is now using Flow Cloud versions 5.0.2 & 5.0.3, which have new capabilities, they outlined.
“Contrary to those previously found, the samples we obtained for version 5.0.2 contain verbose error messages & meticulous logging,” researchers explained.
The latest version of the tool now also can perform the following activities:
- Controlling connected microphones & triggering recording when sound levels above a specified threshold volume are detected;
- Monitoring clipboard events to steal clipboard content;
- Monitoring file system events to collect new & modified files; &
- Controlling attached camera devices to take pictures of the compromised computer’s surroundings.