Security News > 2022 > April > Cyberespionage APT Now Identified as Three Separate Actors

Cyberespionage APT Now Identified as Three Separate Actors
2022-04-29 11:51

A threat group responsible for sophisticated cyberespionage attacks against U.S. utilities is actually comprised of three subgroups, all with their own toolsets and targets, that have been operating globally since 2018, researchers have found.

The group is known not only for targeting U.S. organizations in the utilities sector, but also diplomatic organizations in the Middle East and Africa, according to a report published this week by researchers at security firm ESET. Though it's apparently been active since 2018, TA410 first came up on researchers' radar in 2019, when Proofpoint uncovered a phishing campaign targeting three U.S. companies in the utilities sector that used a novel malware then dubbed LookBack.

Now ESET researchers have found that TA410 is not one but actually three subgroups of threat actors-FlowingFrog, LookingFrog and JollyFrog-each "Using very similar tactics, techniques, and procedures but different toolsets and exiting from IP addresses located in three different districts," researchers Alexandre Côté Cyr and Matthieu Faou wrote in the report.

Researchers analyzed the activity of each subgroup, including which tools they use and what type of victims they target.

FlowingFrog also uses Royal Road, a malicious document builder used by several cyberespionage groups that builds RTF documents exploiting Equation Editor N-day vulnerabilities such as CVE-2017-11882, researchers said.

Rather than use custom tools, the group exclusively uses generic, off-the-shelf malware from known families QuasarRAT and Korplug, aka PlugX. Quasar RAT is a full-featured backdoor freely available on GitHub and is a popular tool used by cyberespionage and cybercrime threat actors, researchers said.


News URL

https://threatpost.com/apt-id-3-separate-actors/179435/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2017-11-15 CVE-2017-11882 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Office
Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability".
local
low complexity
microsoft CWE-119
7.8