Friday 26 September 11:30 - 12:00, Green room
Hiroshi Takeuchi (MACNICA)
TA410 is a cyber espionage umbrella group loosely linked to APT10, the infamous China-nexus cyber espionage umbrella. TA410 activity has been observed since 2018, targeting a diverse range of sectors, including US utilities, the Taiwanese government, Japanese manufacturing, and media. This group was first publicly described by Proofpoint in 2020. ESET defines its three sub-groups: FlowingFrog, LookingFrog and Jolly Frog based on their toolsets and TTPs.
FlowCloud is a toolset exclusively used by FlowingFrog. We presented a campaign we named "Operation USBFlowing" at VB2023. In the presentation, we discussed its interesting initial access vector: USB devices and an approach to identify statically linked third-party open-source libraries with FlowClowd RAT component.
The name 'FlowCloud' has been used to refer to the RAT because the string 'FlowCloud' appeared in its configuration data and PDB strings. However, we can presume that FlowCloud is actually the name of a finely crafted attack framework, specifically an MSVC solution that contains multiple projects beyond just RATs, including a loader, rootkit driver, and installer, based on our analysis of samples and PDB strings. The FlowCloud solution consists of two primary RAT components: fcClient and hcClient. These RATs are sophisticated C++ applications and have common application designs: encryption algorithms, extensive use of Google Protocol Buffer for C2 communication data formats and configuration, communicating with two external servers (exchange_server and file_server). fcClient has a more structured C++-based design, whereas hcClient is a C-based application.
Previously, fcClient and hcClient were categorized under the FlowCloud RAT. However, our analysis reveals that they are distinct, yet related RATs with separate development paths. We have continued tracking the FlowCloud toolset and identified two new FlowCloud RATs, which are updated versions of hcClient: FlowCross (v5.0.5dz) and FlowThrough (v7.0.0).
In this presentation we will provide in-depth details on the long-term used twin RATs (fcClient and hcClient).
First, we will review the history of the FlowCloud toolset dating back to 2015 and share our research: their architectures and a comparison between fcClient and hcClient obtained from over 50 samples and case studies. We will share detailed analysis of our new findings on FlowCross and FlowThrough, covering topics such as anti-disassembly and decompiler techniques, packer mechanisms, unique characteristics, including dual configurations, over 100 Protocol Buffer messages, frp (a fast reverse proxy) module and kernel rootkit driver update, and more.
This presentation will provide security practitioners – reverse engineers, threat analysts, and blue teams – with an in-depth understanding of TA410's FlowCloud toolset evolution, its advanced anti-analysis techniques, and methods for bypassing them. Attendees will leave with actionable intelligence to improve detection, analysis, and mitigation of this sophisticated espionage threat.
Additionally, we will demonstrate our approach to unpack and disable anti-disassembly and decompile techniques, allowing us to generate decompiled code that closely matches the decompiled code from a not-packed sample.
 |
Hiroshi Takeuchi Hiroshi Takeuchi is a security researcher with over 10 years of experience in the industry. His main responsibilities are reverse engineering and incident response within MACNICA, a security service company for the Asia Pacific and Middle East regions. In between his day job, he has developed internal tools such as an intelligence platform, honey network, and Python scripts to support analysis. He writes blog posts and private & public technical reports, and has spoken at a number of security conferences including Virus Bulletin, CONFidence, HITCON and JSAC. |
Back to VB2025 conference page