A threat actor known as TA410 has updated its toolkit with a new malware which has been deployed against Windows targets in the United States’ utilities sector, according to researchers at Proofpoint.
The malware dubbed FlowCloud is modular remote-access trojan (RAT) which can access installed applications, the keyboard, mouse, screen, files, services, and processes with the ability to exfiltrate information via command and control.
The RAT first was spotted last summer as part of a spear-phishing campaign. Utility providers received training- and certification-related emails with subject lines such as “PowerSafe energy educational courses (30-days trial),” containing portable executable (PE) attachments.
The researchers believe that FlowCloud and the LookBack malware campaign, which hit the U.S. utilities sector between July and August 2019, can be attributed to the same threat actor, TA410, based on the group’s use of shared attachment macros, malware installation techniques, and overlapping delivery infrastructure.
“Both the FlowCloud and LookBack campaigns targeted utility providers in the United States. Both used training and certification-themed lures. And both used threat actor-controlled domains for delivery. In some cases, both FlowCloud and LookBack campaigns targeted not only the same companies but also the same recipients,” the researchers said.
Furthermore, Proofpoint said it has found similarities between TA410 and TA429 (APT10) delivery tactics. Specifically, the researchers observed both threat actors using similar attachment macros and the parts of the phishing infrastructure.
“However, Proofpoint analysts believe that intentional reuse of well-publicized TA429 (APT10) techniques and infrastructure may be an attempt by threat actors to create a false flag. For this reason, while research is ongoing, we do not attribute LookBack and FlowCloud campaigns to TA429 (APT10). Proofpoint currently tracks TA429 (APT10) independently of TA410 campaigns,” the report said.
The malware delivery process starts with the execution of a file called Gup.exe by the malicious macro, which in turn executes a file called “EhStorAuthn.exe.” EhStorAuthn.exe then extracts and installs the subsequent payload file components, and sets registry key values that store the keylogger drivers and the malware’s configuration.
According to Proofpoint, the malware uses custom protocol to communicate with its command and control server and handles configuration updates, file exfiltration and commands all as independent threads.
“TA410 operators demonstrate a willingness to dynamically evolve phishing tactics to increase the effectiveness of their campaigns and a keen eye towards plausible social engineering within a very select targeted sector,” the researchers wrote.