Skip to content ↓ | Skip to navigation ↓

The digital attackers responsible for distributing LookBack malware targeted U.S. utility providers with a new threat called “FlowCloud.”

Proofpoint first observed threat actors attempting to spread FlowCloud in mid-July 2019. At that time, the security firm detected phishing campaigns whose attack emails employed subject lines such as “PowerSafe energy educational courses (30-days trial)” in an attempt to target U.S. utility entities. Those attack emails ultimately leveraged PE attachments to deliver a modular malware referred to as “FlowCloud” in the program data base baths.

The attacks involving FlowCloud remained the same through September 2019.

Two months later, those responsible for distributing the malware modified their efforts. They preserved U.S. utility providers as their targets. However, they shifted away from PE attachments and towards Microsoft Word documents containing malicious macros that were similar to those abused by Lookback, another malware strain which had developed a reputation for preying on U.S. utility organizations.

ASCE-themed phishing email delivering FlowCloud malware November 2019. (Source: Proofpoint)

A closer look by Proofpoint revealed some other similarities between the campaigns described above and the LookBack distribution operations that occurred later in the summer. As explained by the firm:

It’s notable that these FlowCloud campaigns were occurring at the same time as the LookBack campaigns that Proofpoint has previously documented. Both the FlowCloud and LookBack campaigns targeted utility providers in the United States. Both used training and certification-themed lures. And both used threat actor-controlled domains for delivery. In some cases, both FlowCloud and LookBack campaigns targeted not only the same companies but also the same recipients.

These similarities led Proofpoint to attribute both FlowCloud and LookBack to a single threat actor: TA410.

Comprised of a large code base written in C++, FlowCloud capitalized upon a successful infection to perform multiple functions characteristic of a Remote Access Trojan (RAT). Those activities included stealing content from the clipboard, installing applications and exfiltrating data to its command-and-control (C&C) server.

The attacks described above highlight the need for utility organizations to defend themselves against a malware infection. Towards that end, they can use Tripwire Industrial Visibility to map their networks, fix vulnerabilities and block attack vectors that could pose a threat to their environments.