Cybersecurity firm ESET has published its research on TA410, which is described as a backdoor with spying capabilities.

It records sound, tracks keyboard movements,

operate the camera

TA410 Cyber ​​Espionage Group

ESET Research has unveiled a detailed profile of TA410, an umbrella cyber-espionage group associated with APT10 and known to target primarily US-based utilities organizations and diplomatic organizations in the Middle East and Africa.

ESET researchers believe that this group consists of three different teams using different toolkits, including a new version of FlowCloud discovered by ESET. The group is a very complex backdoor with interesting espionage skills. ESET has announced that it will present its latest findings related to the TA410 threat group, including the results of ongoing research, at Botconf 2022.

ESET’s statement included the following information;

• TA410 is an umbrella group of three teams, each with their own set of tools and objectives, and what ESET researchers call FlowingFrog, LookingFrog and JollyFrog.
• ESET telemetry shows that there are victims of this group worldwide, especially in the public and education sectors.
• TA410 had access to the latest known Microsoft Exchange remote code execution vulnerabilities (for example, ProxyLogon in March 2021 and ProxyShell in August 2021).
• ESET researchers have found a new version of FlowCloud, a complex and modular C++ RAT used by FlowingFrog, with several interesting features. These features include:

1. Monitor connected microphones and start recording when sound levels above a certain threshold volume are detected.
2. Clipboard event control to play clipboard contents.
3. File system event monitoring to collect new and changed files.
4. Monitor connected camera devices to take pictures of the infected computer’s environment.

Turkey is one of the target countries.

These teams, hereinafter referred to as FlowingFrog, LookingFrog and JollyFrog, have similarities in tactics, techniques and procedures, casualties and network infrastructures.

ESET researchers also assume that these subgroups operate somewhat independently, but may share the same information requirements, an access team running targeted phishing campaigns and the team implementing network infrastructure.

Most TA410 targets are leading organizations in the diplomacy and education sector. In contrast, ESET also identified victims in the military sector, a manufacturing company in Japan, a mining company in India and a charity in Israel. It is also stated that TA410 targets foreign individuals in China. According to ESET telemetry, this has happened at least twice; for example, one of the victims was a French academic and the other was a member of a South Asian country’s diplomatic mission in China.

Initial access to targets is gained by using Internet-facing applications such as Microsoft Exchange or by sending targeted phishing emails containing malicious documents. ESET malware researcher Alexandre Côté Cyr explains:This means that their victims are targeted specifically and attackers choose victims where they are most likely to infiltrate the target.While ESET researchers believe that this version of FlowCloud used by the FlowingFrog team is still under development and testing, the cyberespionage capabilities of this version include the ability to collect mouse movements, keyboard activity, and clipboard content, as well as collect information about the current foreground window. This information can help attackers understand stolen data by putting it into context.

In addition, FlowCloud can collect information about what is happening on the victim’s computer by taking pictures through attached camera peripherals and recording audio through a computer’s microphone. Côté Cyr continues: “This second function starts automatically at any sound above the 65 decibel threshold, which is in the upper range of normal speech volume. Typical audio recording functions in cyber-espionage malware are started when an action is performed on the affected machine (for example, when a video conferencing application is running) or when a specific command is sent to the malware by the operators.

The TA410 has been up and running since at least 2018 and was first publicly announced in August 2019 by Proofpoint in a LookBack blog post. A year later, FlowCloud, a then new and highly advanced malware family, was also associated with TA410.

Source: (BHA) – Beyaz News Agency