Unknown hackers infiltrated the geo-politically sensitive U.S. energy sector last year, toting malware capable of fully commandeering and controlling infected systems, a recent report said.
Proofpoint researchers pinpointed the newly-discovered remote access trojan (RAT), which it dubbed FlowCloud, as part of a dual phishing campaign aimed at unnamed utilities that ran for five months beginning in July, 2019. The same crew behind the LookBack attacks let loose from July - August, 2019, may have also run FlowCloud, suggesting that one threat actor could have conducted both strikes in tandem.
“FlowCloud malware, like LookBack, gives attackers complete control over a compromised system,” the researchers wrote in a new blog post. “Its remote access trojan (RAT) functionality includes the ability to access installed applications, the keyboard, mouse, screen, files, services, and processes with the ability to exfiltrate information via command and control.”
The structure of FlowCloud phishing is similar to the LookBack delivery emails, which were constructed to impersonate the National Council of Examiners for Engineering and Surveying (NCEES) and Global Energy Certification organizations. Proofpoint analysts believe that both the LookBack and FlowCloud operations were probably the work of the threat actor TA410, based on shared attachment macros, malware installation techniques, and overlapping delivery infrastructure.
In addition, both campaigns used training and certification services as decoys, deployed threat actor-controlled domains for delivery, used subdomains containing the word “engineer,” and in some cases, targeted not only the same companies but also the same recipients. FlowCloud’s payload was initially delivered through portable executable (PE) attachments. The hackers switched to attached Microsoft Word files with malicious macros in November, 2019, impersonating the American Society of Civil Engineers and masquerading as the legitimate domain asceorg.
It's possible that TA410 may be engaged in some misdirection to cloak its digital footsteps. “Intentional reuse of well-publicized TA429 techniques and infrastructure may be an attempt by threat actors to create a false flag,” Proofpoint said. At this point, the researchers do not attribute LookBack and FlowCloud campaigns to TA429 and, in fact, track TA410 independently of TA429.
The convergence of both campaigns in November 2019 shows that TA410 actors are capable of using multiple tools to execute a single ongoing campaign against US utilities providers, Proofpoint said. “The attackers have potentially tried to pose as another hacking group, named TA429, by including the http://ffca.caibi379com/rwjh/qtinfo.txt URL as an alternate download server, an URL known from publicly reported indicators of compromise lists as an APT10 malware delivery server,” Proofpoint said.
“TA410 has established itself as a motivated actor with mature toolsets carrying out long term campaigns against highly important and geographically concentrated target sets,” the researchers said.