The electric grid is so important to any country’s national security and thus the high importance of keeping the electricity flowing. Even an outage of only a few minutes can wreak havoc on any residence or business. Cyber attackers responsible for distributing LookBack malware are targeting US utility providers with a new threat called “FlowCloud.” The FlowCloud modular remote-access trojan (RAT) has similarities and connections to the LookBack malware. The LookBack at its core is a remote access Trojan, one written in C++ that relies upon a proxy communication tool to send off data on infected hosts. The APT known as TA410 has added a modular remote-access trojan (RAT) to its espionage weapon store, deployed against Windows targets in the US’ energy sector, specifically the utilities industry.
Analysts found similarities between TA410 and TA429 (APT10) delivery tactics. Specifically, they have noticed attachment macros that are common to both actors. TA410 campaigns detected in November 2019 included TA429 (APT10)-related infrastructure used in phishing attachment delivery macros. The intentional reuse of well-publicized TA429 (APT10) techniques and infrastructure may be an attempt by threat actors to create a false flag operation. For this reason, while research is ongoing, they do not positively attribute LookBack and FlowCloud campaigns to TA429 (APT10).
According to researchers at Proofpoint, the RAT called FlowCloud, can access installed applications and control the keyboard, mouse, screen, files, services and processes of an infected computer, with the ability to exfiltrate information to a command-and-control (C2) provider. It appears to be related to previous attacks delivering the LookBack malware. The RAT was first observed during the summer of 2019 as part of a spear-phishing campaign. Utility providers received training and certification related emails with subject lines such as “PowerSafe energy educational courses (30-days trial),” containing portable executable (PE) attachments. To make their effort more convincing, the threat actor-controlled domains that delivered the emails impersonated energy-sector training services, and used subdomains which contained the word “engineer.” Beginning in November 2019, the operators shifted their approach from using PE attachments to attaching Microsoft Word documents containing malicious macros. The content of the emails in these campaigns impersonated the American Society of Civil Engineers and masqueraded as the legitimate domain asce[.]org, researchers said.
The FlowCloud malware, named after distinctive program database (PDB) paths observed in the malware’s components, has a multi-stage payload comprised of a large code base written in C++. “The code demonstrates a level of complexity including numerous components, extensive object-oriented programming and use of legitimate and imitation QQ files for initial and later-stage execution,” according to Proofpoint. Analysts found further imitation of QQ components in several modules used throughout FlowCloud execution. QQ is Tencent’s instant messaging platform, widely used in China.
The malware begins its delivery with the execution of a file called Gup.exe by the malicious macro, which in turn executes a file called “EhStorAuthn.exe.” EhStorAuthn.exe proceeds to extract and install the subsequent payload file components, and sets registry key values that store the keylogger drivers and the malware’s configuration. EhStorAuthn.exe is a legitimate portable executable file used by QQ with the initial name QQSetupEx.exe. “This file is used to load the file dlcore.dll as part of its natural downloader routine. Dlcore.dll is a DLL crafted by the threat actors that functions as a shellcode injector pulling the shellcode from a file named rebare.dat. This file imitates a legitimate QQ component,” explained researchers. When the shellcode within rebare.dat is executed, it executes a RAT installer file named rescure.dat. This is a XOR-encrypted DLL file that installs a custom application, responsor.dat, which installs the keylogger driver and manages the RAT functionality. It also starts the RAT when the rescure.dat function “startModule” is called.
In terms of C2 communication, Proofpoint’s analysis revealed that the FlowCloud malware handles configuration updates, file exfiltration and commands all as independent threads using a custom protocol. “We identified these independent threads as part of an extensive command-handling functionality with distinct command managers existing for each command,” shared by ProofPoint. “The sample we analyzed utilized port 55555 for file exfiltration and port 55556 for all other data. We identified FlowCloud communication with the IP 188.131.233[.]27. The requests and responses are composed of multiple encrypted headers (using XORs and RORs) and TEA encrypted data using a key generation scheme involving a hardcoded string of random characters and MD5 hashing. The plaintext data is compressed using ZLIB and serialized using Google’s Protocol Buffers.” Timestamps in various components indicate that FlowCloud been around since at least July 2016; and, Proofpoint found a 32-bit module that’s only compatible with Windows Vista and below, suggesting earlier development.
The dated nature of this binary coupled with the extensible nature of the malware code suggests that the FlowCloud code base has been under development for numerous years and the development of this malware around legitimate QQ files and the identification of malware samples uploaded to VirusTotal from Japan in December 2018 and earlier this year from Taiwan indicate that the malware may have been active for some time in Asia prior to its appearance targeting the US utilities industry.
Several campaigns delivering the LookBack malware were aimed at US utilities over summer and the fall of 2019 as well, and, based on shared attachment macros, identical malware installation techniques and overlapping delivery infrastructure, Proofpoint believes the LookBack and FlowCloud malware can be attributed to a single threat actor, TA410. TA410 started using sender domain asce[.]email to deliver malicious FlowCloud attachments in November 2019. This domain was first observed in June 2019, however, registered to an IP address that was used as a staging and reconnaissance IP in previous LookBack campaigns. Identical to the methodology used with LookBack, the FlowCloud macro also used privacy-enhanced mail (.pem) files which were subsequently renamed to the text file called pense1.txt. This file is next saved as a portable executable file named Gup.exe and executed using a version of the certutil.exe tool named Temptcm.tmp.
The victimology is common too: Both the FlowCloud and LookBack campaigns targeted utility providers in the US, with training and certification themed lures. Proofpoint found that in some cases, both FlowCloud and LookBack campaigns targeted not only the same companies but also the same individual recipients. The coming together of LookBack and FlowCloud malware campaigns in November 2019 demonstrates the capabilities of TA410 actors to distinctly utilize multiple tools as part of a single ongoing campaign targeting against US utilities providers. Both malware families demonstrate a level of sophistication in their conception and development. These bad actors demonstrate a willingness to dynamically evolve phishing tactics to increase the effectiveness of their campaigns and possess a sharp eye towards plausible social engineering within a very select targeted industry.
There is also evidence that TA410 could be related to another threat actor, APT10 (a.k.a. Stone Panda or TA429), though the evidence, researchers admitted, could be false flags meant to throw off any attribution attempts. Proofpoint’s analysis discovered similarities between and TA429 (APT10) delivery tactics. Specifically, analysts observe attachment macros that are common to both actors. TA410 campaigns detected in November 2019 included TA429 (APT10) related infrastructure used in phishing attachment delivery macros. Specifically, the initial FlowCloud macro seen in November 2019 contains a “try…catch” statement which initially attempts to download the FlowCloud payload from the Dropbox URL as part of the try statement. But, if it was unable to retrieve the payload from that resource, a catch statement which was nearly identical to the try statement attempted to retrieve a malware resource from another URL.
This URL was linked in previous research from enSilo to the Chinese-language threat group APT10. That group used the URL to deliver a modified Quasar RAT payload which included the addition of SharpSploit, an opensource post-exploitation tool. “Publications by FireEye and EnSilo regarding TA429 (APT10) campaigns contain indicators that later appeared in TA410 campaigns,” the analysts added. “In our retrospective analysis of that research, we determined that TA429 (APT10) used phishing macros that were later seen being used by LookBack and FlowCloud malware.” Researchers shared that APT10’s techniques are fairly well publicized, so analysts believe that using them may be an attempt by threat actors to create a false flag. “For this reason, while research is ongoing, we do not attribute LookBack and FlowCloud campaigns to TA429 (APT10),” analysts wrote. “Proofpoint currently tracks TA429 (APT10) independently of TA410 campaigns.”
So what can you do to better protect your organization today and keep the lights on?
- Proper data back-up and off-site storage policies should be adopted and followed.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Phishing is normally the first step in a broader attack campaign.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- RedXray customers can receive up to $100,000 in ransomware coverage at no additional expense to them.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is in New Boston, NH USA and is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 888-RED-XRAY or (888)-733-9729, or email firstname.lastname@example.org