“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.
TA410 APT is a cyberespionage threat group. According to researchers at Proofpoint, they added a modular RAT (Remote Access Trojan) to its toolset and deployed it against the U.S. utilities sector. In Proofpoint’s profile of a 2019 campaign, TA410 was also observed targeting utilities with this previously undiscovered RAT. Utilities were also targeted by LookBack malware at relatively the same time over the second half of 2019.
The newly-identified modular FlowCloud RAT is capable of accessing device applications, and controlling services/processes of an infected computer. It also exfiltrates data via its Command and Control center. Both FlowCloud and LookBack were delivered via malicious documents with embedded macros.
Additionally, there are similarities between the infrastructure and tactics used between the two pieces of malware. While there is some overlap between the indicators of this TA410 campaign and those from campaigns associated with Stone Panda (aka APT10, TA429), Proofpoint is hesitant to link the two since Stone Panda’s TTPs are widely circulated and TA410 may be employing them as false flag operations.