ESET Research reveals a detailed profile of TA410, a cyber espionage group loosely cooperating with APT10. This has been known to target US organizations in the utility sector and diplomatic organizations in the Middle East and Africa.
The researchers at the European IT security manufacturer assume that this group consists of three different teams using different toolsets. This toolbox also includes a new version of FlowCloud. This is a very complex backdoor with extensive espionage capabilities. ESET will present its latest findings on TA410, including the results of ongoing research, during Botconf 2022.
Targets of TA410: diplomats and military
Most TA410 targets are high profile and include diplomats, universities and military installations. ESET was able to identify a large industrial company among the victims in Asia and a mining company in India. In Israel, the perpetrators were targeting a charity. In China, TA410 seems to be primarily targeting foreigners.
Establishment of the eSpionage group
The subgroups of TA410 identified by ESET, referred to as FlowingFrog, LookingFrog and JollyFrog, have overlaps in TTPs, victimology and network infrastructure. ESET researchers also hypothesize that these subgroups operate somewhat independently but may share common information requirements, an access team that runs their spearphishing campaigns, and also the team that sets up the network infrastructure.
FlowCloud's spying capabilities
The attack is usually carried out by exploiting vulnerabilities in standard applications such as Microsoft Exchange, or by sending spear phishing emails containing malicious documents. “Victims will be specifically targeted by TA410. The attackers rely on the most promising attack method according to the victim in order to effectively infiltrate the target system,” explains ESET malware researcher Alexandre Côté Cyr. Although ESET researchers believe that this version of FlowCloud used by FlowingFrog team is still under development and testing stage. This version's cyber espionage capabilities include the ability to collect mouse movement, keyboard activity, and clipboard content along with information about the current foreground window. This information can help attackers better understand stolen data by contextualizing it.
But FlowCloud can do much more: the spy function is able to take pictures with the help of the connected webcam or the integrated camera or to record conversations unnoticed via the microphone of notebooks or webcams. "The latter function is automatically triggered by any sound above a threshold of 65 decibels, which is in the upper range of normal conversation volume," continues Côté Cyr.
TA410 has been active since at least 2018 and was first published by Proofpoint in its LookBack blog post in August 2019. A year later, the then new and very complex malware family called FlowCloud was also attributed to the TA410 group.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.