A cyberespionage threat actor known for targeting a variety of critical infrastructure sectors in Africa, the Middle East, and the U.S. has been observed using an upgraded version of a remote access trojan with information stealing capabilities.
Calling TA410 an umbrella group comprised of three teams dubbed FlowingFrog, LookingFrog, and JollyFrog, Slovak cybersecurity firm ESET assessed that “these subgroups operate somewhat independently, but that they may share intelligence requirements, an access team that runs their spear-phishing campaigns, and also the team that deploys network infrastructure.”
TA410 — said to share behavioral and tooling overlaps with APT10 (aka Stone Panda or TA429) — has a history of targeting U.S.-based organizations in the utilities sector as well as diplomatic entities in the Middle East and Africa.
Other identified victims of the hacker collective include a manufacturing company in Japan, a mining business in India, and a charity in Israel, in addition to unnamed victims in the education and military verticals.
TA410 was first documented by Proofpoint in August 2019 when the threat actor unleashed phishing campaigns containing macro-laden documents to compromise utility providers across the U.S. with a modular malware called LookBack.
Nearly a year later, the group returned with a new backdoor codenamed FlowCloud, also delivered to U.S. utilities providers, that Proofpoint described as malware that gives attackers complete control over infected systems.
“Its remote access trojan (RAT) functionality includes the ability to access installed applications, the keyboard, mouse, screen, files, services, and processes with the ability to exfiltrate information via command-and-control,” the company noted in June 2020.
Industrial cybersecurity firm Dragos, which tracks the activity group under the moniker TALONITE, pointed out the adversary’s penchant for blending techniques and tactics in order to ensure a successful intrusion.
“TALONITE focuses on subverting and taking advantage of trust with phishing lures focusing on engineering-specific themes and concepts, malware that abuses otherwise legitimate binaries or modifies such binaries to include additional functionality, and a combination of owned and compromised network infrastructure,” Dragos said in April 2021.
ESET’s investigation into the hacking crew’s modus operandi and toolset has shed light on a new version of FlowCloud, which comes with the ability to record audio using a computer’s microphone, monitor clipboard events, and control attached camera devices to take pictures.
Specifically, the audio recording function is designed to be automatically triggered when sound levels near the compromised computer cross a 65-decibel threshold.
TA410 is also known to take advantage of both spear-phishing and vulnerable internet-facing applications such as Microsoft Exchange, SharePoint, and SQL Servers to gain initial access.
“This indicates to us that their victims are targeted specifically, with the attackers choosing which entry method has the best chance of infiltrating the target,” ESET malware researcher Alexandre Côté Cyr said.
Each team within the TA410 umbrella is said to use different toolsets. While JollyFrog relies on off-the-shelf malware such as QuasarRAT and Korplug (aka PlugX), LookingFrog uses X4, a barebones implant with remote control features, and LookBack.
FlowingFrog, in contrast, employs a downloader called Tendyron that’s delivered by means of the Royal Road RTF weaponizer, using it to download FlowCloud as well as a second backdoor, which is based on Gh0stRAT (aka Farfli).
“TA410 is a cyberespionage umbrella targeting high-profile entities such as governments and universities worldwide,” ESET said. “Even though the JollyFrog team uses generic tools, FlowingFrog and LookingFrog have access to complex implants such as FlowCloud and LookBack.”