Cyberespionage APT Now Identified as Three Separate Actors

A threat group responsible for sophisticated cyberespionage attacks against U.S. utilities is actually comprised of three subgroups, all with their own toolsets and targets, that have been operating globally since 2018, researchers have found.

TA410 is a cyberespionage umbrella group loosely linked to APT10, a group tied to China’s Ministry of State Security. The group is known not only for targeting U.S. organizations in the utilities sector, but also diplomatic organizations in the Middle East and Africa, according to a report published this week by researchers at security firm ESET.

Though it’s apparently been active since 2018, TA410 first came up on researchers’ radar in 2019, when Proofpoint uncovered a phishing campaign targeting three U.S. companies in the utilities sector that used a novel malware then dubbed LookBack.

About a year later, the threat group resurfaced by deploying a sophisticated RAT against Windows targets in the United States’ utilities sector. Dubbed FlowCloud and believed to be the evolution of Lookback, the RAT can access installed applications and control the keyboard, mouse, screen, files, services and processes of an infected computer. The tool also can exfiltrate information to a command-and-control (C2) provider.

Now ESET researchers have found that TA410 is not one but actually three subgroups of threat actors—FlowingFrog, LookingFrog and JollyFrog—each “using very similar tactics, techniques, and procedures (TTPs) but different toolsets and exiting from IP addresses located in three different districts,” researchers Alexandre Côté Cyr and Matthieu Faou wrote in the report.

The teams have overlaps in TTPs, victimology and network infrastructure, and they compromise global targets—primarily government or education organizations–in various ways, indicating that victims are targeted specifically, “with the attackers choosing which entry method has the best chance of infiltrating the target,” researchers said.

Those ways include a new version of FlowCloud as well as access to the most recently known Microsoft Exchange remote code execution vulnerabilities, ProxyLogon and ProxyShell, among other tools—both custom and generic—that are specific to each group, researchers found.

FlowingFrog

Researchers analyzed the activity of each subgroup, including which tools they use and what type of victims they target. They also identified overlap in which the actors work together.

Flowing Frog shares network infrastructure—specifically, the domain ffca.caibi379[.]com—with JollyFrog. It also ran the phishing campaign uncovered by Proofpoint in 2019 together with LookingFrog, researchers said.

The subgroup has its own specific mode of attack and has launched campaigns against specific targets–namely universities, the foreign diplomatic mission of a South Asian country in China and a mining company in India, researchers found.

FlowingFrog uses a first stage that ESET researchers have named the Tendyron downloader, and then FlowCloud as a second stage they said.

“Tendyron.exe is a legitimate executable, signed by online-banking security vendor Tendyron Corporation, and that is vulnerable to DLL search-order hijacking,” researchers explained.

FlowingFrog also uses Royal Road, a malicious document builder used by several cyberespionage groups that builds RTF documents exploiting Equation Editor N-day vulnerabilities such as CVE-2017-11882, researchers said.

LookingFrog

LookingFrog typically targets diplomatic missions, charity organizations and entities in government and industrial manufacturing using two main malware families: X4 and LookBack.

X4 is a custom backdoor that is used as a first stage before LookBack is deployed researchers explained. The backdoor is loaded by a VMProtect-ed loader, usually named PortableDeviceApi.dll or WptsExtensions.dll.

LookBack is a RAT written in C++ that relies on a proxy communication tool to relay data from the infected host to the command-and-control server (C2). The malware has capabilities to view process, system and file data; delete files; take screenshots; move and click the infected system’s mouse; reboot machines; and delete itself from an infected host.

LookBack is comprised of several components, including a C2 proxy tool, a malware loader, a communications module to create the C2 channel with the GUP proxy tool, and a RAT component to decode the initial beacon response received from the GUP proxy tool.

JollyFrog

The third and final team of TA410, JollyFrog, targets organizations in education, religion, and the military as well as those with diplomatic missions, researchers found. Rather than use custom tools, the group exclusively uses generic, off-the-shelf malware from known families QuasarRAT and Korplug, aka PlugX.

Quasar RAT is a full-featured backdoor freely available on GitHub and is a popular tool used by cyberespionage and cybercrime threat actors, researchers said. It’s been previously used in a phishing campaign targeting companies with fake job-seeker Microsoft Word resumes and a 2019 APT10 malicious cyber campaign against government and private organizations in Southeast Asia.

Korplug is a backdoor that that also has been used for years by various cyberespionage groups and remains a popular tool. Last month, China’s Mustang Panda/TA416/RedDelta used Korplug in an espionage campaign against diplomatic missions, research entities and internet service providers (ISPs) in and around Southeast Asia.

TA410 typically deploys Korplug as a RARSFX archive, generally named m.exe and containing three files: qrt.dll, acustom loader; qrtfix.exe, a legitimate signed application from F-Secure, vulnerable to DLL search-order hijacking; and qrt.dll.usb: the Korplug shellcode.

“The loader allocates memory using VirtualAlloc and copies the content of qrt.dll.usb there,” researchers explained. “Then it jumps right into the shellcode that will decompress and load the Korplug payload.”

Updated Version of FlowCloud

ESET researchers also took a look under the hood of an updated version of FlowCloud currently being used by TA410.

FlowCloud is a complex implant written in C++ comprised of three main components—a rootkit functionality, a simple persistence module and a custom backdoor–deployed in a multistage process that uses various obfuscation and encryption techniques to hinder analysis.

While Proofpoint researchers previously analyzed FlowCloud versions 4.1.3 and 5.0.1, TA410 is now using FlowCloud versions 5.0.2 and 5.0.3, which have new capabilities, they said.

“Contrary to those previously found, the samples we obtained for version 5.0.2 contain verbose error messages and meticulous logging,” researchers explained.

The new version of the tool now also can perform the following activities:

• Controlling connected microphones and triggering recording when sound levels above a specified threshold volume are detected;
• Monitoring clipboard events to steal clipboard content;
• Monitoring file system events to collect new and modified files; and
• Controlling attached camera devices to take pictures of the compromised computer’s surroundings.