Espionage Group Hits U.S. Utilities with Sophisticated Spy Tool

2020-06-09 17:09

"The dated nature of this binary coupled with the extensible nature of the malware code suggests that the FlowCloud code base has been under development for numerous years," the analysts wrote, adding that "Development of this malware around legitimate QQ files and the identification of malware samples uploaded to VirusTotal from Japan in December 2018 and earlier this year from Taiwan indicate that the malware may have been active for some time in Asia prior to its appearance targeting the U.S. utilities sector."

Several campaigns delivering the LookBack malware were aimed at U.S. utilities over last summer and the fall as well, and, based on shared attachment macros, identical malware installation techniques and overlapping delivery infrastructure, Proofpoint believes the LookBack and FlowCloud malware can be attributed to a single threat actor, TA410.

Identical to the methodology used with LookBack, the FlowCloud macro also used privacy-enhanced mail files which were subsequently renamed to the text file called pense1.

"This file is next saved as a portable executable file named Gup.exe and executed using a version of the certutil.exe tool named Temptcm.tmp," explained the researchers.

"The convergence of LookBack and FlowCloud malware campaigns in November 2019 demonstrates the capabilities of TA410 actors to distinctly utilize multiple tools as part of a single ongoing campaign against U.S. utilities providers," according to Proofpoint.

News URL

https://threatpost.com/espionage-group-utilities-spy-tool/156425/

#espionage #SPY