Malicious attacks targeting the United States utilities sector last year were observed employing a previously unknown malware family that allows hacke
Malicious attacks targeting the United States utilities sector last year were observed employing a previously unknown malware family that allows hackers to take over compromised systems, Proofpoint reports.
Dubbed FlowCloud, the remote access Trojan (RAT) was used by the same threat actor that used the LookBack malware in campaigns targeting U.S. utilities providers last year. In fact, it appears that the adversary used both malware families in different campaigns running at the same time.
The fact that both FlowCloud and LookBack are operated by the same threat actor, referred to as TA410, was evidenced by common attachment macros and malware installation techniques, as well as overlapping delivery infrastructure identified in an analysis of phishing campaigns carried out between July and November 2019.
“Both the FlowCloud and LookBack campaigns targeted utility providers in the United States. Both used training and certification-themed lures. And both used threat actor-controlled domains for delivery. In some cases, both FlowCloud and LookBack campaigns targeted not only the same companies but also the same recipients,” Proofpoint explains.
FlowCloud includes the ability to access installed applications, files, services, and processes, as well as the keyboard, mouse, and user’s screen. Moreover, it can exfiltrate data to its command and control (C&C) server.
As part of campaigns observed between July and September 2019, the attackers used portable executable (PE) attachments and subject lines such as “PowerSafe energy educational courses (30-days trial)” to deliver the FlowCloud malware.
In November, the threat actor changed delivery tactics, adopting Microsoft Word documents carrying malicious macros instead. These resembled the delivery and installation macros used in LookBack malware campaigns. The email messages delivering them were also similar.
FlowCloud is a multi-stage payload that provides functionality based on available commands. The malware appears to have been in use since at least July 2016 and Proofpoint believes that it might have been used in attacks in Asia before being employed in the targeting of the U.S. utilities sector.
The malware, which appears to have been under development for numerous years, is compatible not only with recent Windows iterations, but also with older versions of Microsoft’s platform, such as Windows Vista and prior.
Proofpoint also discovered that FlowCloud handles configuration updates, file exfiltration, and commands as independent threads and that it uses a custom binary C&C protocol.
While investigating the attacks, the security researchers identified numerous similarities with China-linked APT10 campaigns, but they believe that TA410 might have used publicly disclosed information on APT10’s activity to plant false flags.
“All observed TA429 (APT10) similarities and indicators of compromise were available publicly prior to the start of TA410 campaigns. Therefore, while not conclusive from current analysis, the possibility remains that these overlaps represent false flag activity by the TA410 threat actor,” Proofpoint notes.
The threat actor, the researchers note, is also investing into evolving phishing tactics to increase the effectiveness of their campaigns. TA410 appears to be an established entity with mature toolsets, capable of carrying out long term campaigns against highly important targets.