Introduction

I wish I could say that attack campaigns that target the United States energy sector do not exist, but unfortunately they do. The attack group behind the infamous LookBack malware attack campaign, which targets the US energy utilities sector, has been observed using a new malware called FlowCloud. These two attack campaigns have carried on simultaneously with similar targets and have many points of overlap besides. 

This article will detail the FlowCloud malware and will explore what it is, how it works and how to prevent this remote access Trojan (RAT). 

What is FlowCloud?

Discovered by researchers at Proofpoint in mid-July of 2019, FlowCloud is a RAT that uses phishing campaigns with provocative email subject lines referring to energy utilities training and certification, as well as domains which may lure those with even a moderate cybersecurity training education to download the portable executable (PE) attachment. Over time, overlap between FlowCloud and LookBack was uncovered by findings of common malware installation, attack techniques, and delivery infrastructure. 

The timing element at play here is also interesting: the domain registrations for the respective malwares are within about a month of each other (May-June 2019). While it is not known which individuals are specifically responsible for FlowCloud, Proofpoint has dubbed TA410.

In November of 2019, attackers changed how the distribution of FlowCloud takes place by moving from relying on PE to Microsoft Word documents loaded with malicious macros as a vehicle to infect machines. It should be noted that this delivery method is very similar to that of LookBack. Once infected with FlowCloud, attackers have complete control with the ability to access keyboard, mouse, files, applications, processes and service and can exfiltrate at will.

You may be wondering why it is called FlowCloud (as I was) — this malware is named after the characteristic program database, or PDB, paths within its components. Looking deeper at FlowCloud’s components reveals a deeper than usual level of complexity, as it has extensive object-oriented programming and QQ components, allowing for later-stage execution.

An interesting thing that researchers discovered was that some samples of FlowCloud dropped a 32-bit module only compatible with previous Windows versions, such as Windows Vista (or Windows 6) and older. The takeaway from this is that the code base of FlowCloud has been under development for quite some time by this point.

How FlowCloud works

FlowCloud begins its attack by using phishing campaigns with subject lines mentioning US energy sector training or certification. One example that stands out is an email from the American Society of Civil Engineers (ASCE) with the subject of “Join the Global Engineering Society NOW | Your ASCE Invitation.” This would make any serious engineer want to open the email. 

This email contained a Microsoft Word document with malicious macros attached. These malicious macros execute files such as Gup.exe, which then executes EhStorAuthn.exe. EhStorAuthn.exe is the executable that extracts and installs payload file components and sets up the keylogger drivers and malware configuration by setting registry key values.

Researchers have observed that FlowCloud contains a try…catch sequence that attempts to download the malware payload by way of a DropBox URL within the try statement. If this attempt cannot retrieve the payload, the catch statement contains a nearly identical statement that attempts to retrieve the payload from a URL of “http://ffca.caibi379[.]com/rwjh/qtinfo.txt”. This use of a try…catch sequence is important because the URL referenced in the previous sentence was mentioned in a May 2019 blog entitled “Uncovering New Activity by APT10” by enSilo. The interesting thing about this is when FlowCloud was discovered, Proofpoint researchers found that the resource was unavailable — and my research confirmed this.

After the multi-stage payload of FlowCloud is fully installed, it has full capabilities of a RAT based upon the malware’s available commands. These capabilities are:

  • Accessing the system’s clipboard
  • Ability to install applications
  • Keylogging
  • Accessing keyboard, mouse and screen
  • Access to files, processes, and services
  • Information exfiltration to a C2 provider

How to prevent FlowCloud

Prevention of FlowCloud boils down to two levels — the email level and the user level. For the email level, make sure that filters are enabled to potentially block an email containing a FlowCloud infected Microsoft Word file from even making it into the user’s inbox in the first place. 

In terms of the user level, organizations need to train their staff to recognize emails containing FlowCloud infected attachments. Even if your organization does not train you on FlowCloud-specific emails and who they target (personnel working in the United States energy sector, engineers, etc.), being proactive will pay off here. As always, never download attachments from email senders you do not know; this is a basic piece of cybersecurity to be sure but it would win the day for prevention.

Conclusion

FlowCloud is a RAT that targets the United States Energy Sector. FlowCloud is distributed via phishing emails with provocative subjects referring to training and certification, as well as professional societies, related to this sector. There have been multiple nearly identical similarities observed between FlowCloud and the LookBack malware, leading researchers to believe that they are operated by the same attack group.

 

Sources

  1. Espionage Group Hits U.S. Utilities with Sophisticated Spy Tool, Threatpost
  2. Hacker Targeted U.S. Utilities in Two Mirrored Phishing Campaigns, MSSP Alert
  3. TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware, Proofpoint