Recent reports have identified a cyberespionage group known as TA410, which has been actively targeting critical infrastructure across Africa, the Middle East, and the United States using an evolved version of a remote access trojan (RAT) designed for information theft. The Slovak cybersecurity firm ESET has categorized TA410 as an umbrella group comprising three teams: FlowingFrog, LookingFrog, and JollyFrog. While these subgroups operate with a degree of autonomy, they share common objectives and techniques, which include spear-phishing campaigns and network infrastructure deployment.
The group has previously been linked to APT10 (also known as Stone Panda), suggesting similarities in behavioral patterns and tools utilized during attacks. Notably, TA410 has focused its efforts on U.S. utility companies, as well as various diplomatic entities situated in the Middle East and Africa. The list of potential victims has expanded to include businesses in sectors such as manufacturing, mining, and non-profits.
Initially documented by Proofpoint in August 2019, TA410 employed phishing attacks involving macro-laden documents to infiltrate utility providers within the United States. Their operations have since advanced, exemplified by the introduction of the FlowCloud backdoor, which grants extensive control over compromised systems.
The functionality of this latest RAT includes the ability to monitor active applications, capture keystrokes and screen activity, access files, and manage system processes while enabling data exfiltration through command-and-control servers. ESET’s analysis emphasizes that the TA410 attackers are particularly adept at selecting entry methods, whether through spear-phishing or exploiting vulnerable online applications, including Microsoft Exchange and SQL servers.
ESET has reported that the newly upgraded FlowCloud includes capabilities for audio recording via the infected system’s microphone and monitoring clipboard events, revealing a sophisticated level of surveillance that extends to taking photos through connected camera devices. The audio recording feature is specifically engineered to trigger when ambient sound levels reach a threshold of 65 decibels, indicating targeted and context-aware functionality.
The MITRE ATT&CK framework succinctly outlines the potential tactics and techniques that might underlie TA410’s operations. Initial access may be gained through spear-phishing or leveraging existing vulnerabilities in the software of targeted organizations. Persistence could be ensured via the installation of the RAT, while privilege escalation techniques could be employed to deepen access to sensitive information and systems.
ESET further describes individual tactics used by the different teams within TA410; JollyFrog often utilizes broadly available malware, whilst LookingFrog employs more specialized implants such as X4. FlowingFrog is noted for deploying Tendyron as a downloader, facilitating access to sophisticated backdoors like FlowCloud and derivatives of Gh0stRAT.
TA410 has established its presence as a significant threat to high-profile entities, targeting various sectors ranging from governmental agencies to academic institutions globally. The group’s evolving arsenal of tools, along with its strategic approach to cyberespionage, underscores the necessity for robust cybersecurity measures to mitigate risks associated with such organized groups.
This ongoing threat landscape necessitates vigilance from business owners and IT professionals concerned about the integrity of their systems. Awareness, coupled with proactive defenses and regular security assessments, is essential in protecting sensitive information from such sophisticated cyber adversaries.
