TA410 is a cyber-espionage umbrella group consisting of three subgroups: FlowingFrog, LookingFrog, and JollyFrog. TA410 activity has been observed since 2018, targeting a diverse range of sectors.

FlowCloud is a toolset exclusively used by FlowingFrog. One interesting point is that a HUMINT-driven technique was used for initial access: using a USB device to deliver and install FlowCloud.

The name “FlowCloud” has often been used to refer to the RAT because the string “FlowCloud” appears in its configuration data and PDB strings. However, based on our analysis of samples and PDB strings, we believe FlowCloud is actually the name of a finely crafted attack framework, specifically an MSVC solution containing multiple projects beyond the RAT itself, including a loader, a rootkit driver, and an installer, uninstaller.

The FlowCloud solution consists of two primary RAT components: fcClient and hcClient. These RATs are sophisticated C++/C applications and have common application designs: encryption algorithms, extensive use of Google Protocol Buffer for C2 communication data formats and configuration, communicating with two external servers (exchange_server and file_server). fcClient has a more structured C++-based design, whereas hcClient is a C-based application.
Previously, fcClient and hcClient were categorized under the FlowCloud RAT. However, our analysis reveals that they are distinct, yet related RATs with separate development paths. We have continued tracking the FlowCloud toolset and identified two new FlowCloud RATs, which are updated versions of hcClient: FlowCross (v5.0.5dz) and FlowThrough (v7.0.0).

In this presentation we will provide in-depth details on the long-term used twin RATs (fcClient and hcClient). Especially, we will do deep dive into:
- New FlowCloud tools, which have not been publicly documented
- Parsing and extracting Protocol Buffers messages from fcClient and hcClient
- Deobfuscation of hcClient payload, including a live demo