FLASHFLOOD
FLASHFLOOD is spyware that searches for files of interest that it copies to a secret location before transferring over to its threat actors. Users should be aware that FLASHFLOOD coordinates its attacks with related threats, including ones that compromise removable devices. For protecting your PC, you can avoid sharing devices between different computers and maintain anti-malware solutions that should block or delete FLASHFLOOD on first sight.
A Flood of Files in the Wrong Direction
The PC security community traces back APT30 attacks to 2004, with noteworthy considerations including the threat actors' anticipation of the importance of overcoming 'air-gap' security, as well as their avoiding detection for years at a time while updating their software. APT30's primary, but not only, targets include most non-China nations in both mainland and Pacific Asia, with interest in military networks, media, government territorial disputes, and economic concerns. FLASHFLOOD is one of the primary tools they use for collecting private information.
A typical attack goes through several stages: an e-mail lure, a Trojan dropper, a Trojan downloader like BACKBEND or CREAMSICLE, and, then, the more advanced threats, like FLASHFLOOD. For its part, FLASHFLOOD is spyware with a basis in harvesting both basic system stats and any 'interesting' files for the threat actors. It searches local drives and any removable ones, as well, and creates duplicates of the relevant content inside a fake Windows uninstallation folder.
A particularly concerning development that's singular for FLASHFLOOD is that malware experts note a high degree of cooperation between it and SPACESHIP, which is a worm that infects USBs and other, removable devices. By doing so, SPACESHIP can compromise even normally-safe, air-gap-protected systems, help with ferrying the information back to the portable drive, and give FLASHFLOOD access to it. This strategy creates a smooth-flowing espionage operation, taking place across the payloads of multiple, interlocking threats.
Rerouting Bad Cyber-Weather
Individual deployments of FLASHFLOOD may include custom filters for exfiltrating information that's highly specific to the target, instead of the generalized 'take anything that's not nailed down' approach of most spyware programs. It also has strong associations with backdoor Trojans and users should assume that FLASHFLOOD infections include the risk of a threat actor that has control over a network-connected system. However, most of the attacks that malware experts can connect to APT30's history involve exploits requiring the victim's permission, at first, by the opening of an e-mail attachment or similar means.
Sharing any USB or other removable drive is a fast way of giving FLASHFLOOD access to your most valuable files. Users that can avoid doing so shouldn't share removable devices between their workplace and personal systems or between Internet-connected ones and offline or 'air-gapped' systems. Anti-malware products should eliminate FLASHFLOOD and threats associated with installing it, if they have the opportunity, such as by scanning an e-mail download before you open it.
FLASHFLOOD is a focused data collector whose rich history of file exfiltration includes attacks against the Association of Southeast Asian Nations and other, politically-heady targets. Its unique tactics for compromising air-gap protection is a powerful reminder that, no matter how good your security is, the people using your computers are the weakest links.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.