FlowCloud

Proofpoint researchers observed phishing campaigns beginning on July 10, 2019 that targeted utility providers across the United States with portable executable (PE) attachments and used subject lines such as “PowerSafe energy educational courses (30-days trial)”... The content of the emails in the November 2019 campaigns impersonated the American Society of Civil Engineers and masqueraded as the legitimate domain asce[.]org.

These campaigns utilized malicious macro-laden documents in order to deliver modular malware to targeted utility providers across the U.S.... threat actors shifted from PE attachments to malicious macro laden Microsoft Word documents that closely resembled the same delivery and installation macros used in LookBack malware campaigns.

after an extended period of using PE attachments to deliver FlowCloud in campaigns, the threat actors behind FlowCloud switched to using Microsoft Word documents with malicious macros... FlowCloud uses this same method exactly including identical macro concatenation code.

The earlier LookBack versions of the macro included the payload in numerous privacy enhanced email (“.pem”) files that were dropped when the attachment file is executed by the user.

EhStorAuthn.exe extracts the subsequent payload file components and installs them to the directory C:\Windows\Media\SystemPCAXD\ado\fc. This file also sets registry key values that store the keylogger drivers and the malware configuration as the value “KEY_LOCAL_MACHINE\SYSTEM\Setup\PrintResponsor\<2-4>”.

Responsor.dat unpacks several modules (rescure86.dat or rescure64.dat) to the registry %TEMP%\{0d47c9bc-7b04-4d81-9ad8-b2e00681de8e}" and installs the unpacked file as a service named “FSFilter Activity Monitor” or “FltMgr”.

Dlcore.dll is a DLL crafted by the threat actors that functions as a shellcode injector pulling the shellcode from a file named rebare.dat... Several legitimate Microsoft Windows files were also used by the malware for thread injection.

Responsor.dat unpacks several modules (rescure86.dat or rescure64.dat) to the registry %TEMP%\{0d47c9bc-7b04-4d81-9ad8-b2e00681de8e}" and installs the unpacked file as a service named “FSFilter Activity Monitor” or “FltMgr”.

The senders of the emails that delivered FlowCloud malware utilized threat actor-controlled domains for delivery which impersonated energy sector training services... The content of the emails in the November 2019 campaigns impersonated the American Society of Civil Engineers and masqueraded as the legitimate domain asce[.]org.

Dlcore.dll is a DLL crafted by the threat actors that functions as a shellcode injector pulling the shellcode from a file named rebare.dat... Several legitimate Microsoft Windows files were also used by the malware for thread injection.

This file is next saved as a portable executable file named “gup.exe” and executed using a version of the certutil.exe tool named “Temptcm.tmp”.

EhStorAuthn.exe extracts the subsequent payload file components and installs them to the directory C:\Windows\Media\SystemPCAXD\ado\fc. This file also sets registry key values that store the keylogger drivers and the malware configuration as the value “KEY_LOCAL_MACHINE\SYSTEM\Setup\PrintResponsor\<2-4>”.

The malware stores its configuration in the registry alongside drivers utilized by the malware’s keylogger components.

The malware stores its configuration in the registry alongside drivers utilized by the malware’s keylogger components.

FlowCloud malware handles configuration updates, file exfiltration, and commands as independent threads utilizing a custom binary C2 protocol.

The FlowCloud version of the macro utilized a previously unobserved macro section to download the payload from a DropBox URL... if it was unable to retrieve the payload from that resource, a catch statement... attempted to retrieve a malware resource from the URL http://ffca.caibi379[.]com/rwjh/qtinfo.txt

FlowCloud malware, like LookBack, gives attackers complete control over a compromised system. Its remote access trojan (RAT) functionality includes the ability to access installed applications, the keyboard, mouse, screen, files, services, and processes with the ability to exfiltrate information via command and control.

FlowCloud malware handles configuration updates, file exfiltration, and commands as independent threads utilizing a custom binary C2 protocol. The sample we analyzed utilized port 55555 for file exfiltration and port 55556 for all other data.