Recently, a campaign has been discovered wherein threat actors are noted to be victimizing a variety of critical infrastructure sectors in different regions such as Africa, the Middle East, and the United States. The group that has been identified as TA410, has been using an improved version of a remote access trojan designed with information-stealing capabilities.
TA410 is an umbrella group comprising of three teams named FlowingFrog, LookingFrog, and JollyFrog.
In regard to the incident, the Slovak cybersecurity firm ESET has reported that "these subgroups operate somewhat independently, but that they may share intelligence requirements, and access team that runs their spear-phishing campaigns, and also the team that deploys network infrastructure."
Following the incident, it has been observed that the TA410 shares behavioral and tooling overlaps with APT10 (aka Stone Panda or TA429) which has a history of targeting U.S.-based organizations in the utility sector as well as diplomatic entities in the Middle East and Africa region.
Moreover, the group has also targeted many firms in different regions all across the world including a manufacturing company in Japan, mining business in India, a charity foundation in Israel, and unnamed victims in the education and military verticals.
Im 2019, TA410 was recorded by Proofpoint for the first time when the members of the group executed phishing campaigns containing macro-laden documents to compromise utility providers across the U.S. with a modular malware called LookBack.
The group made a comeback with a new backdoor codenamed FlowCloud, also delivered to U.S. utility providers that Proofpoint described as malware that gives attackers full remote control over targeted systems.
"Its remote access trojan (RAT) functionality includes the ability to access installed applications, the keyboard, mouse, screen, files, services, and processes with the ability to exfiltrate information via command-and-control," the company reported in June 2020.
Cybersecurity firm Dragos, which is investigating the activities of the group under the moniker TALONITE, said that the adversary has a penchant for blending techniques and tactics in order to ensure a successful intrusion.
"TALONITE focuses on subverting and taking advantage of trust with phishing lures focusing on engineering-specific themes and concepts, malware that abuses otherwise legitimate binaries or modifies such binaries to include additional functionality, and a combination of owned and compromised network infrastructure," Dragos said in April 2021.
