FlowCloud Targeting the U.S. energy sector

   Researchers at Proofpoint have discovered a phishing campaign targeting companies within the United States’ utility sector. This campaign makes use of malicious documents to upload a remote access trojan (RAT) to the target’s system.

    In July 2019, researchers observed the use of a new RAT, called FlowCloud, as part of a spear-phishing campaign targeting the U.S. energy sector. This RAT was able to access the mouse, keyboard, screen, and running services, and exfiltrate that information to a command-and-control (C2) provider. To make themselves more convincing, attackers used emails disguised as training information with subject lines relating to free trials of energy educational courses. Content of the emails also impersonated the authentic American Society of Civil Engineers and masqueraded as coming from the organization’s domain.

    Early in the campaign, the threat actors used portable executable (PE) attachments to distribute us Microsoft Word documents. Researchers then started to notice some similarities bthe malware. However, in November 2019, the threat actors shifted from PE attachments to malicioetween FlowCloud and another malware campaign, LookBack. Both FlowCloud and LookBack targeted the United States’ utility sector. Both used malicious Word documents, and as of November 2019, both used the same IP addresses for staging and surveillance. Also, similar attachment macros, installation techniques, and infrastructure confirmed to researchers that FlowCloud and LookBack are related. Proofpoint was able to determine that both campaigns, which started around the same time, are linked to the advanced persistent threat (APT) group TA410. Also, Proofpoint researchers have found similarities between TA410 and APT10, the latter being a known Chinese espionage group. However, the researchers believe that the similarities may be intentional and that “the reuse of well-publicized APT10 techniques and infrastructure may be an attempt by threat actors to create a false flag.” TA410 is currently tracked independently of APT10. Proofpoint states that both malware families demonstrate a high level of sophistication in their development and presentation. Not much is known about the impact that these campaigns have had on the energy sector.

    As demonstrated by the FlowCloud and LookBack malware campaigns, the TA410 operators demonstrate a willingness to adapt and target their phishing tactics to increase the effectiveness of each campaign. Targeted phishing emails can be hard to spot, which is why, in addition to implementing proper security  systems and protocols, employee training is so necessary. Phishing attacks are still the most common way for attackers to enter an organization’s network. Educating end-users can go a long way in preventing an organization from becoming a victim of one of these attacks.