A cyberespionage threat actor known for targeting a variety of critical infrastructure sectors in Africa, the Middle East, and the U.S. has been observed using an upgraded version of a remote access trojan with information-stealing capabilities.
Calling TA410 an umbrella group comprised of three teams dubbed FlowingFrog, LookingFrog, and JollyFrog, Slovak cybersecurity firm ESET assessed that “these subgroups operate somewhat independently, but that they may share intelligence requirements, an access team that runs their spear-phishing campaigns, and also the team that deploys network infrastructure.”
TA410 — said to share behavioral and tooling overlaps with APT10 (aka Stone Panda or TA429) — has a history of targeting U.S.-based organizations in the utility sector as well as diplomatic entities in the Middle East and Africa.
Other identified victims of the hacker collective include a manufacturing company in Japan, mining business in India, and a charity in Israel, in addition to unnamed victims in the education and military verticals.
TA410 was first documented by Proofpoint in August 2019 when the threat actor unleashed phishing campaigns containing macro-laden documents to compromise utility providers across the U.S. with a modular malware called LookBack.
Nearly a year later, the group returned with a new backdoor codenamed FlowCloud, also delivered to U.S. utility providers, that Proofpoint described as malware that gives attackers complete control over infected systems.
“Its remote access trojan (RAT) functionality includes the ability to access installed applications, the keyboard, mouse, screen, files, services, and processes with the ability to exfiltrate information via command-and-control,” the company noted in June 2020.
Industrial cybersecurity firm Dragos, which tracks the activity group under the moniker TALONITE, pointed out the adversary’s penchant for blending techniques and tactics in order to ensure a successful intrusion.
“TALONITE focuses on subverting and taking advantage of trust with phishing lures focusing on engineering-specific themes and concepts, malware that abuses otherwise legitimate binaries or modifies such binaries to include additional functionality, and a combination of owned and compromised network infrastructure,” Dragos said in April 2021.
ESET’s investigation into the hacking crew’s modus operandi and toolset has shed light on a new version of FlowCloud, which comes with the ability to record audio using a computer’s microphone, monitor clipboard events, and control attached camera devices to take pictures.
Specifically, the audio recording function is designed to be automatically triggered when sound levels near the compromised computer cross a 65-decibel threshold.
TA410 is also known to take advantage of both spear-phishing and vulnerable internet-facing applications such as Microsoft Exchange, Read more: https://bit.ly/3OHHutQ
You can also read this: New Hacking Campaign Targeting Ukrainian Government with IcedID Malware