U.S. energy providers were targeted by spear-phishing campaigns delivering a new remote access trojan (RAT) capable of providing attackers with full control over infected systems.
The attacks took place between July and November 2019, and the threat actor behind it — tracked as TA410 by Proofpoint researchers who spotted the campaigns — used portable executable (PE) attachments and malicious macro laden Microsoft Word document to deliver the malicious payload.
The malware dubbed FlowCloud is a full-fledged RAT that gives the TA410 operators total control over compromised devices, as well as the capability to harvest and exfiltrate information to attacker-controlled servers.
The FlowCloud campaigns pushed the RAT payload using PE attachments between July and September 2019, and switched to Microsoft Word documents with malicious macros in November 2019.
Phishing emails delivered by the November 2019 spear-phishing campaigns impersonated the American Society of Civil Engineers (ASCE) and they spoofed the legitimate asce[.]org domain.
To deliver the RAT payload, the TA410 operators' malicious macro downloaded the payload from a DropBox URL and saved a FlowCloud malware PE in the form of a .pem file as the "Pense1.txt" variable.
The attackers have potentially tried to pose as another hacking group, namely TA429 (APT10), by including the http://ffca.caibi379[.]com/rwjh/qtinfo.txt URL as an alternate download server, an URL known from publicly reported indicators of compromise lists as an APT10 malware delivery server.
"[W]hile not conclusive from current analysis, the possibility remains that these overlaps represent false flag activity by the TA410 threat actor," Proofpoint says.
"The possibility remains that these overlaps represent intentional false flag efforts to cloak the identity of these perpetrators while they targeted a critical and geo-politically sensitive sector of energy providers in the US."
Based on the attackers' "use of shared attachment macros, malware installation techniques, and overlapping delivery infrastructure" the Proofpoint researchers concluded that the phishing campaigns between July-November 2019 delivering LookBack and FlowCloud malware can both be attributed to the TA410 threat actor.
For instance, TA410 started using the sender domain asce[.]email to deliver malicious attachments that downloaded FlowCloud payloads, a domain first observed in June 2019 while being used for staging and reconnaissance as part of LookBack campaigns.
Additionally, the structure of the FlowCloud phishing emails is very similar to the one used in LookBack emails that impersonated the U.S. National Council of Examiners for Engineering and Surveying (NCEES) and Global Energy Certification (GEC) organizations during July 2019.
TA410's LookBack campaigns also targeted U.S. utility providers between April 5 and August 29, updating tactics, techniques, and procedures (TTPs) midway by switching from failed exam alerts to exam invitations.
More details on the FlowCloud campaigns and a full list of indicators of compromise (IOCs) including malware sample hashes, command and control server IP addresses, and phishing domains is available at the end of Proofpoint's report.