Security News > 2022 > April > Cyberespionage APT Now Identified as Three Separate Actors

A threat group responsible for sophisticated cyberespionage attacks against U.S. utilities is actually comprised of three subgroups, all with their own toolsets and targets, that have been operating globally since 2018, researchers have found.

The group is known not only for targeting U.S. organizations in the utilities sector, but also diplomatic organizations in the Middle East and Africa, according to a report published this week by researchers at security firm ESET. Though it's apparently been active since 2018, TA410 first came up on researchers' radar in 2019, when Proofpoint uncovered a phishing campaign targeting three U.S. companies in the utilities sector that used a novel malware then dubbed LookBack.

Now ESET researchers have found that TA410 is not one but actually three subgroups of threat actors-FlowingFrog, LookingFrog and JollyFrog-each "Using very similar tactics, techniques, and procedures but different toolsets and exiting from IP addresses located in three different districts," researchers Alexandre Côté Cyr and Matthieu Faou wrote in the report.

Researchers analyzed the activity of each subgroup, including which tools they use and what type of victims they target.

FlowingFrog also uses Royal Road, a malicious document builder used by several cyberespionage groups that builds RTF documents exploiting Equation Editor N-day vulnerabilities such as CVE-2017-11882, researchers said.

Rather than use custom tools, the group exclusively uses generic, off-the-shelf malware from known families QuasarRAT and Korplug, aka PlugX. Quasar RAT is a full-featured backdoor freely available on GitHub and is a popular tool used by cyberespionage and cybercrime threat actors, researchers said.

News URL

https://threatpost.com/apt-id-3-separate-actors/179435/