The APT known as TA410 has added a modular remote-access trojan (RAT) to its espionage arsenal, deployed against Windows targets in the United States’ utilities sector.
According to researchers at Proofpoint, the RAT, called FlowCloud, can access installed applications and control the keyboard, mouse, screen, files, services and processes of an infected computer, with the ability to exfiltrate information to a command-and-control (C2) provider. It appears to be related to previous attacks delivering the LookBack malware.
The RAT first scurried onto the scene last summer as part of a spear-phishing campaign. Utility providers received training- and certification-related emails with subject lines such as “PowerSafe energy educational courses (30-days trial),” containing portable executable (PE) attachments, according to a Monday Proofpoint analysis.
To make the effort more convincing, the threat actor-controlled domains that delivered the emails impersonated energy-sector training services, and used subdomains which contained the word “engineer.”
After this rash of warm-season attacks, starting in November the operators shifted their approach from using PE attachments to attaching Microsoft Word documents containing malicious macros. The content of the emails in the November campaigns impersonated the American Society of Civil Engineers and masqueraded as the legitimate domain asce[.]org, researchers said.
The FlowCloud malware, named after distinctive program database (PDB) paths observed in the malware’s components, has a multi-stage payload comprised of a large code base written in C++, researchers said.
“The code demonstrates a level of complexity including numerous components, extensive object-oriented programming and use of legitimate and imitation QQ files for initial and later-stage execution,” according to Proofpoint. “We found further imitation of QQ components in several modules used throughout FlowCloud execution.” QQ is Tencent’s instant messaging platform, widely used in China.
The malware begins its delivery with the execution of a file called Gup.exe by the malicious macro, which in turn executes a file called “EhStorAuthn.exe.” EhStorAuthn.exe goes on to extract and install the subsequent payload file components, and sets registry key values that store the keylogger drivers and the malware’s configuration.
“EhStorAuthn.exe is a legitimate portable executable file used by QQ with the initial name QQSetupEx.exe,” explained the researchers. “This file is used to load the file dlcore.dll as part of its natural downloader routine. Dlcore.dll is a DLL crafted by the threat actors that functions as a shellcode injector pulling the shellcode from a file named rebare.dat. This file imitates a legitimate QQ component.”
When the shellcode within rebare.dat is executed, it in turn executes a RAT installer file named rescure.dat, according to the analysis. This is a XOR-encrypted DLL file that installs a custom application, responsor.dat, which installs the keylogger driver and manages the RAT functionality. It also starts the RAT when the rescure.dat function “startModule” is called.
In terms of C2 communication, Proofpoint’s analysis revealed that the FlowCloud malware handles configuration updates, file exfiltration and commands all as independent threads using a custom protocol.
“We identified these independent threads as part of an extensive command-handling functionality with distinct command managers existing for each command,” according to the firm. “The sample we analyzed utilized port 55555 for file exfiltration and port 55556 for all other data. We identified FlowCloud communication with the IP 188.131.233[.]27. The requests and responses are composed of multiple encrypted headers (using XORs and RORs) and TEA encrypted data using a key generation scheme involving a hardcoded string of random characters and MD5 hashing. The plaintext data is compressed using ZLIB and serialized using Google’s Protocol Buffers.”
Timestamps in various components indicate that FlowCloud been around since at least July 2016; and, Proofpoint found a 32-bit module that’s only compatible with Windows Vista and below, suggesting earlier development.
“The dated nature of this binary coupled with the extensible nature of the malware code suggests that the FlowCloud code base has been under development for numerous years,” the analysts wrote, adding that “development of this malware around legitimate QQ files and the identification of malware samples uploaded to VirusTotal from Japan in December 2018 and earlier this year from Taiwan indicate that the malware may have been active for some time in Asia prior to its appearance targeting the U.S. utilities sector.”
Overlap with LookBack and APT10
Several campaigns delivering the LookBack malware were aimed at U.S. utilities over last summer and the fall as well, and, based on shared attachment macros, identical malware installation techniques and overlapping delivery infrastructure, Proofpoint believes the LookBack and FlowCloud malware can be attributed to a single threat actor, TA410.
For instance, TA410 started using sender domain asce[.]email to deliver malicious FlowCloud attachments in November. This domain was first observed in June however, registered to an IP address that was used as a staging and reconnaissance IP in previous LookBack campaigns.
Identical to the methodology used with LookBack, the FlowCloud macro also used privacy-enhanced mail (.pem) files which were subsequently renamed to the text file called pense1.txt. “This file is next saved as a portable executable file named Gup.exe and executed using a version of the certutil.exe tool named Temptcm.tmp,” explained the researchers.
The victimology also lines up: Both the FlowCloud and LookBack campaigns targeted utility providers in the United States, with training- and certification-themed lures. Proofpoint found that in some cases, both FlowCloud and LookBack campaigns targeted not only the same companies but also the same individual recipients.
“The convergence of LookBack and FlowCloud malware campaigns in November 2019 demonstrates the capabilities of TA410 actors to distinctly utilize multiple tools as part of a single ongoing campaign against U.S. utilities providers,” according to Proofpoint. “Both malware families demonstrate a level of sophistication in their conception and development…TA410 operators demonstrate a willingness to dynamically evolve phishing tactics to increase the effectiveness of their campaigns and a keen eye towards plausible social engineering within a very select targeted sector.”
There’s also evidence that TA410 could be related to another threat actor, APT10 (a.k.a. Stone Panda or TA429), though the evidence, researchers admitted, could be false flags meant to throw off any attribution attempts.
“Our analysis found similarities between and TA429 (APT10) delivery tactics,” explained Proofpoint researchers. “Specifically, we have seen attachment macros that are common to both actors. TA410 campaigns detected in November 2019 included TA429 (APT10)-related infrastructure used in phishing attachment delivery macros.”
Specifically, the initial FlowCloud macro seen in November contains a “try…catch” statement which initially attempts to download the FlowCloud payload from the Dropbox URL as part of the try statement. However, if it was unable to retrieve the payload from that resource, a catch statement which was nearly identical to the try statement attempted to retrieve a malware resource from another URL.
This URL was linked in previous research from enSilo to the Chinese-language threat group APT10. That group used the URL to deliver a modified Quasar RAT payload which included the addition of SharpSploit, an opensource post-exploitation tool, Proofpoint researchers said.
“Publications by FireEye and EnSilo regarding TA429 (APT10) campaigns contain indicators that later appeared in TA410 campaigns,” the analysts added. “In our retrospective analysis of that research, we determined that TA429 (APT10) used phishing macros that were later seen being used by LookBack and FlowCloud malware.”
That said, Proofpoint researchers said that APT10’s techniques are fairly well publicized, so analysts believe that using them may be an attempt by threat actors to create a false flag.
“For this reason, while research is ongoing, we do not attribute LookBack and FlowCloud campaigns to TA429 (APT10),” analysts wrote. “Proofpoint currently tracks TA429 (APT10) independently of TA410 campaigns.”