The FlowCloud modular remote-access trojan (RAT) has overlapped with the LookBack malware.
There’s a RAT in the system. The RAT came to light last summer as part of a spear-phishing campaign. Researchers at Proofpoint have noticed a similarity in the mode of attacks of FlowCloud and LookBack malware.
The APT (TA410) has an addition to their artillery. This addition is a modular remote-access trojan (RAT).
The FlowCloud malware, named after distinctive program database (PDB) paths observed in the malware’s components, has a multi-stage payload comprised of a large codebase written in C++.
A 32-bit module that’s only compatible with Windows vista found in FlowCloud suggests that it has been around since 2016.
Analysts wrote, “the dated nature of this binary coupled with the extensible nature of the malware code suggests that the FlowCloud code base has been under development for numerous years. Development of this malware around legitimate QQ files and the identification of malware samples uploaded to VirusTotal from Japan in December 2018 and earlier this year from Taiwan indicate that it may have been active for some time in Asia before its appearance targeting the U.S. utility sector.”
Access is not limited to just the software once a computer has the infection by RAT (FlowCloud). It can access the output and input devices as well as services and processes of the network.
According to a Monday Proofpoint analysis, “utility providers received training-and certification-related emails with subject lines such as “PowerSafe energy educational courses (30-days trial),” containing portable executable (PE) attachments.” Also, in parity to C2 communication, the analysis revealed that “FlowCloud malware handles configuration updates, file exfiltration and commands all as independent threads using a custom protocol.”
The scheme was elaborate and convincing as threat actors the domain and subdomains were customized to mimic an Engineering platform.
Researchers said the operators executed a series of attacks using the PE attachment. After which they switched to another method of attaching malicious Microsoft Word document to emails.
These emails mimicked the American Society of Civil Engineers and masqueraded as the legitimate domain asce[.]org.
Tennet’s Instant Messaging platform stated, “the code demonstrates a level of complexity including numerous components, extensive object-oriented programming and use of legitimate and imitation QQ files for initial and later-stage execution,” according to Proofpoint. We found further imitation of QQ components in several modules used throughout FlowCloud execution.”
FlowCloud’s Method
Researchers explained, “EhStorAuthn.exe is a legitimate portable executable file used by QQ with the initial name QQSetupEx.exe.” “This file is used to load the file dlcore.dll as part of its original downloader routine. Dlcore.dll is a DLL crafted by the threat actors that functions as a shellcode injector pulling the shellcode from a file named rebare.dat. This file imitates a legitimate QQ component.”
“We identified these independent threads as part of an extensive command-handling functionality with distinct command managers existing for each command,” according to the firm. “The sample we analyzed utilized port 55555 for file exfiltration and port 55556 for all other data. We identified FlowCloud communication with the IP 188.131.233[.]27. The requests and responses are composed of multiple encrypted headers (using XORs and RORs) and TEA encrypted data using a key generation scheme involving a hardcoded string of random characters and MD5 hashing. The plaintext data is compressed using ZLIB and serialized using Google’s Protocol Buffers.”
Overlap with LookBack and APT10
The components and method of attack between LookBack and FlowCloud are similar. It lends credence to the fact that the attacks might be operated by one group, TA410.
A comparison between the attacks has left little room for doubt.
In November the sender domain, asce[.]email employed by TA410 in malicious attacks was first associated with a staging campaign by LookBack in June.
“Identical to the methodology used with LookBack, the FlowCloud macro also used privacy-enhanced mail (.pem) files which were subsequently renamed to the text file called pense1.txt. This file is next saved as a portable executable file named Gup.exe and executed using a version of the certutil. Exe tool named Temptcm.tmp.” explained the researchers.
Besides their methodology, the victim list is also similar.
They target utility providers based in the United States. The target companies down to the individual goals were also the same.
According to Proofpoint, “the convergence of LookBack and FlowCloud malware campaigns in November 2019 demonstrates the capabilities of TA410 actors to distinctly utilize multiple tools as part of a single ongoing campaign against the U.S. utility providers. Both malware families demonstrate a level of sophistication in their conception and development. TA410 operators demonstrate a willingness to dynamically evolve phishing tactics to increase the effectiveness of their campaigns and a keen eye towards plausible social engineering within a very select targeted sector.”
As far as similarities go, TA410 and APT10 are a match. The evidence might be simple red flags meant to distract authorities.
“Our analysis found similarities between and TA429 (APT10) delivery tactics,” explained Proofpoint researchers. “Specifically, we have seen attachment macros that are common to both actors. TA410 campaigns detected in November 2019 included TA429 (APT10)-related infrastructure used in phishing attachment delivery macros.”
A retrospective analysis carried out by analysts determined the similarities between TA429 and other threat actors. “Publications by FireEye and EnSilo regarding TA429 (APT10) campaigns contain indicators that later appeared in TA410 campaigns. We determined that TA429 (APT10) used phishing macros used by LookBack and FlowCloud malware.”
Because the APT10 methods are public, analysts believe that other actors might be using it as a camouflage.
Currently, activities of TA429 are investigated separately and treated as a different scheme rather than a variant of TA410.
