US energy providers hit with new malware in targeted attacks
U.S. energy providers were targeted by spear-phishing campaigns delivering a new remote access trojan (RAT) capable of providing attackers with full control over infected systems. The attacks took place between July and November 2019, and the threat actor behind it — tracked as TA410 by Proofpoint researchers who spotted the campaigns — used portable executable (PE) attachments and malicious macro laden Microsoft Word document to deliver the malicious payload.
The FlowCloud campaigns pushed the RAT payload using PE attachments between July and September 2019 and switched to Microsoft Word documents with malicious macros in November 2019. Phishing emails delivered by the November 2019 spear-phishing campaigns impersonated the American Society of Civil Engineers (ASCE) and they spoofed the legitimate asce[.]org domain.
The malware dubbed FlowCloud is a full-fledged RAT that gives the TA410 operators total control over compromised devices, as well as the capability to harvest and exfiltrate information to attacker-controlled servers. The attackers have potentially tried to pose as another hacking group, namely TA429 (APT10), by including the http://ffca.caibi379[.]com/rwjh/qtinfo.txt URL as an alternate download server, an URL known from publicly reported indicators of compromise lists as an APT10 malware delivery server.
“[W]hile not conclusive from current analysis, the possibility remains that these overlaps represent false flag activity by the TA410 threat actor,” Proofpoint says. “The possibility remains that these overlaps represent intentional false flag efforts to cloak the identity of these perpetrators while they targeted a critical and geo-politically sensitive sector of energy providers in the US.”
TA410’s LookBack campaigns also targeted U.S. utility providers between April 5 and August 29, updating tactics, techniques, and procedures (TTPs) midway by switching from failed exam alerts to exam invitations.
Reference:
Contact Us
Learn more about what Techcess CyberSecurity Group can do for your business.
1-833-TXCYBER
1-833-892-9237
Techcess CyberSecurity Group
6110 Clarkson Lane
Houston, Texas 77055
Techcess CyberSecurity Group
Houston, Texas 77055