Each subgroup of the TA410 is targeted differently. FlowingFrog targets universities and mining, as well as foreign diplomatic missions. LookingFrog targets diplomatic missions and charities, government, and industrial manufacturing. JollyFrog targets education and churches.
- These three teams employ a similar methodus operandi.
Spear phishing can be used for starters. However, it can also be replaced with the compromise of directly internet-facing apps like Microsoft Exchange and SharePoint.
Compromising these applications provides a strong foothold within an organization’s infrastructure. This is in contrast to spear phishing where users must be enticed into clicking on a link or opening an attached file. According to ESET’s researchers, it is the most commonly used approach by TA410.
Must Read: can software be leased and financed
In 2019, attackers exploited Microsoft SharePoint server vulnerabilities to execute code before dropping an ASPX shell. This allowed them to install additional malicious components on the servers.
Additional exploitation was also observed on Microsoft IIS servers and SQL servers that run custom applications.
After the ProxyShell vulnerability was triggered, an IIS worker loaded the LookBack malware from TA410s LookingFrog in August 2021. This indicates that the threat actor is always on guard for vulnerabilities and can quickly exploit them to gain access to unpatched servers of their targets.
Never Miss: working with a vehicle finance broker
- TA410 uses more tools
The threat actor also uses vulnerability scanners, exploits of Equation group leaks and proxying and tunneling instruments (e.g. HTran, LCX and EarthWorm) to move within compromised networks.
Threat actors also use the notorious Royal Road malicious document maker. When the Royal Road-infected document is opened, an executable called “Tendyron Downloader” launches. The downloader then launches an executable dubbed “Tendyron Downloader” and grabs a backdoor based upon Farfli malware, as well as FlowCloud, a highly sophisticated malware that is used only by TA410. Tendyron.exe, a legitimate executable, is vulnerable to DLL search-order hijacking vulnerability.
QuasarRAT (aka KorPlug), and PlugX (aka KorPlug), are also used. These malwares are well-known, but they are still being used by many threat actors. QuasarRATs’ code is freely available online. This makes it simple to access it and tune it for various purposes.
Also Read: a look at finance controller jobs
- TA410s exclusive arsenal
- TA410 uses a few types of malware that appear to be unique to it.
- FlowCloud malware
FlowCloud is a complex, three-component malware written in C++. The driver has rootkit capabilities. The other components are simple persistent modules and a custom backdoor.
FlowCloud, a new malware in development, can still be configured according to the target. A custom AntivirusCheck class, which is used to verify that antivirus software is running, has been discovered. ESET did not find any samples that used this class.
Most Popular: finance more than number crunchers
To make detection and analysis more difficult, the code contains many anti-debugging techniques and control flow obfuscation.
FlowCloud has full access to drives and can also collect information about disk usage and mapped volumes. It can also gather the names of processes and service names, as well as the list of software installed on the system.
FlowCloud can monitor files and record audio with the computer’s microphone. It can monitor clipboard changes, save data and take screen captures. It can also record keyboard and mouse activity. You can also take a picture with the camera peripherals connected to FlowCloud.
- X4 & LookBack malware
- X4 malware can be used to deploy LookBack malware.
X4 allows you to control a compromised host by using encrypted shellcode, killing processes, listing running processes and executing a command line.
LookBack is a C++ backdoor that uses proxy communication to relay data from the infected host to the C2 server.
LookBack allows you to access files, list services, execute commands, access files, take screen shots, and delete the infected computer.
How to Protect Yourself from TA410
It is important to ensure that all software is up-to-date and patched. This is especially true for applications that are connected to the internet. TA410 has shown that they are constantly monitoring the latest vulnerability releases and were using them quickly. Therefore, it is important to patch as soon as possible after a fix is available.
Every server that is connected to the internet should be monitored for any changes. All files that are dropped onto such servers must be reported and should be checked for errors.
Also, email should be handled carefully as spear phishing by TA410 is another way to attempt to hack into a system and gain access to it.
Multi-factor authentication should be used to prevent an attacker from gaining access to the system using a single username or password.