TA410: Cyberespionage threat actor with 3 heads

ESET has published new information about TA410, a cyberespionage threat actor active since at most 2018. He targeted U.S. companies operating in the utilities sector as well as diplomatic organizations in Africa.

TA410: There are three groups, not one.

ESET has revealed that TA410 was initially thought to be one threat actor. However, ESET now reports that there are three distinct teams. These teams are different in their toolsets, use of different IP addresses, and they have very similar tactics, techniques, and procedures.

Must Read: functions wind smart technology of bluetooth headset

These teams are known as LookingFrog, FlowingFrog and JollyFrog.

ESET believes that all three can work independently, but they may share intelligence. A team deploys their network infrastructure and an access team runs spear phishing campaigns.

Who are the victims?

Each subgroup of the TA410 is targeted differently. FlowingFrog targets universities and mining, as well as foreign diplomatic missions. LookingFrog targets diplomatic missions and charities, government, and industrial manufacturing. JollyFrog targets education and churches.

Never Miss: advantages and disadvantages of cat5 data cabling

These three teams employ a similar methodus operandi.

Spear phishing can be used for starters. However, it can also be replaced with the compromise of directly internet-facing apps like Microsoft Exchange and SharePoint.

Compromising these applications provides a strong foothold within an organization’s infrastructure. This is in contrast to spear phishing where users must be enticed into clicking on a link or opening an attached file. According to ESET’s researchers, it is the most commonly used approach by TA410.

In 2019, attackers exploited Microsoft SharePoint server vulnerabilities to execute code before dropping an ASPX shell. This allowed them to install additional malicious components on the servers.

Additional exploitation was also observed on Microsoft IIS servers and SQL servers that run custom applications.

After the ProxyShell vulnerability was triggered, an IIS worker loaded the LookBack malware from TA410s LookingFrog in August 2021. This indicates that the threat actor is always on guard for vulnerabilities and can quickly exploit them to gain access to unpatched servers of their targets.

More tools are used by TA410

The threat actor also uses vulnerability scanners, exploits of Equation group leaks and proxying and tunneling instruments (e.g. HTran, LCX and EarthWorm) to move within compromised networks.

Threat actors also use the notorious Royal Road malicious document maker. When the Royal Road-infected document is opened, an executable called “Tendyron Downloader” launches. The downloader then launches an executable dubbed “Tendyron Downloader” and grabs a backdoor based upon Farfli malware, as well as FlowCloud, a highly sophisticated malware that is used only by TA410. Tendyron.exe, a legitimate executable, is vulnerable to DLL search-order hijacking vulnerability.

QuasarRAT (aka KorPlug), and PlugX (aka KorPlug), are also used. These malwares are well-known, but they are still being used by many threat actors. QuasarRATs’ code is freely available online. This makes it simple to access it and tune it for various purposes.

TA410s exclusive arsenal
TA410 uses a few types of malware that appear to be unique to it.
FlowCloud malware

FlowCloud is a complex, three-component malware written in C++. The driver has rootkit capabilities. The other components are simple persistent modules and a custom backdoor.

FlowCloud, a new malware in development, can still be configured according to the target. A custom AntivirusCheck class, which is used to verify that antivirus software is running, has been discovered. ESET did not find any samples that used this class.

To make detection and analysis more difficult, the code contains many anti-debugging techniques and control flow obfuscation.

FlowCloud has full access to drives and can also collect information about disk usage and mapped volumes. It can also gather the names of processes and service names, as well as the list of software installed on the system.

FlowCloud can monitor files and record audio with the computer’s microphone. It can monitor clipboard changes, save data and take screen captures. It can also record keyboard and mouse activity. You can also take a picture with the camera peripherals connected to FlowCloud.

X4 & LookBack malware
X4 malware can be used to deploy LookBack malware.

X4 allows you to control a compromised host by using encrypted shellcode, killing processes, listing running processes and executing a command line.

LookBack is a C++ backdoor that uses proxy communication to relay data from the infected host to the C2 server.

LookBack allows you to access files, list services, run processes and execute command line commands. You can also take screen shots or delete the computer from infected computers.

How to Protect Yourself from TA410

It is important to ensure that all software is up-to-date and patched. This is especially true for applications that are connected to the internet. TA410 has shown that they are constantly monitoring the latest vulnerability releases and were using them quickly. Therefore, it is important to patch as soon as possible after a fix is available.

Every server that is connected to the internet should be checked for any changes. All files that are dropped onto such servers must be reported and should be checked for errors.

Also, email should be handled carefully as spear phishing by TA410 is another way to attempt to hack into a system and gain access to it.

Multi-factor authentication should be used to prevent an attacker from gaining access to the system using a single username or password.

TA410: Cyberespionage threat actor with 3 heads

TA410: There are three groups, not one.

ESET believes that all three can work independently, but they may share intelligence. A team deploys their network infrastructure and an access team runs spear phishing campaigns.