A cyberespionage threat actor who targets critical infrastructure in Africa, Middle East and America has been seen using an updated version of a remote-access trojan that can steal information.
Calling TA410 an umbrella group comprised of three teams dubbed FlowingFrog, LookingFrog and JollyFrog, Slovak cybersecurity firm ESET assessed that “these subgroups operate somewhat independently, but that they may share intelligence requirements, an access team that runs their spear-phishing campaigns, and also the team that deploys network infrastructure. “
TA410 — said to share behavioral and tooling overlaps with APT10 (aka Stone Panda or TA429) — has a history of targeting U.S-based organizations in the utilities sector as well as diplomatic entities in the Middle East and Africa.
Another victim of the hacker group are a Japanese manufacturing business, an Indian mining company, and a charity from Israel. There were also unnamed victims within the military and education verticals.
TA410 was first documented by Proofpoint in August 2019 when the threat actor unleashed phishing campaigns containing macro-laden documents to compromise utility providers across the U.S. with a modular malware called LookBack.
Nearly a decade later, the group delivered a new backdoor codenamed FlowCloud to U.S. utility providers. Proofpoint described it as malware giving attackers full control of infected systems.
“Its remote access trojan (RAT) functionality includes the ability to access installed applications, the keyboard, mouse, screen, files, services, and processes with the ability to exfiltrate information via command-and-control,” the company noted in June 2020.
Industrial cybersecurity firm Dragos, which tracks the activity group under the moniker TALONITE, pointed out the group’s penchant for blending techniques and tactics in order to ensure a successful intrusion.
“TALONITE focuses on subverting and taking advantage of trust with phishing lures focusing on engineering-specific themes and concepts, malware that abuses otherwise legitimate binaries or modifies such binaries to include additional functionality, and a combination of owned and compromised network infrastructure,” Dragos said in April 2021.
ESET has conducted an investigation into hacker crew’s methods and toolset. It revealed a new version FlowCloud that can record audio with a computer microphone and monitor clipboard events. You can also control attach camera devices and take photos.
Specifically, the audio recording function is designed to be automatically triggered when sound levels near the compromised computer cross a 65-decibel threshold.
TA410 is also known to take advantage of both spear-phishing and vulnerable internet-facing applications such as Microsoft Exchange, SharePoint, and SQL Servers to gain initial access.
“This indicates to us that their victims are targeted specifically, with the attackers choosing which entry method has the best chance of infiltrating the target,” ESET malware researcher Alexandre Cote Cyr said.
Each team within the TA410 umbrella is said to use different toolsets. While JollyFrog relies on off-the-shelf malware such as QuasarRAT and Korplug (aka PlugX), LookingFrog uses X4, a barebones implant, and LookBack.
FlowingFrog, in contrast, employs a downloader called Tendyron that’s delivered by means of the Royal Road RTF weaponizer, using it to download FlowCloud as well as a second backdoor, which is based on Gh0stRAT (aka Farfli).
“TA410 is a cyberespionage umbrella targeting high-profile entities such as governments and universities worldwide,” ESET said. “Even though the JollyFrog team uses generic tools, FlowingFrog and LookingFrog have access to complex implants such as FlowCloud and LookBack. “
