A series of phishing attacks have been targeting U.S. companies in the utilities sector in an effort to infect systems with a new remote access Trojan (RAT), Proofpoint reports.
Sent on July 19 and July 25, the phishing emails had Word documents attatched that contained malicious macros designed to deploy and execute LookBack, a new RAT that uses a proxy mechanism for command and control (C&C) communication.
Proofpoint said it detected the attacks against three separate companies, but it is likely that the group behind the attacks have targeted other entities beyond Proofpoint’s scope.
The fraudulent emails were sent from the attacker-controlled domain nceess[.]com, which appears to be an impersonation of a domain owned by the US National Council of Examiners for Engineering and Surveying. The messages purported to be from a US-based engineering licensing board.
The attacks, Proofpoint says, are likely the work of a state-sponsored threat actor, given the utilized macros and overlaps with previously observed campaigns attributed to Chinese cyber-espionage group APT10. However, LookBack hasn’t been attributed to a specific adversary yet.
The Word document attached to the phishing emails contains a VBA macro that drops three different Privacy Enhanced Mail (PEM) files when executed. A version of certutil.exe is also dropped, to decode the PEM files, after which these files are restored to their proper extensions using essentuti.exe.
These files then become GUP.exe, impersonating the name of an open-source binary used by Notepad++, libcurl.dll, a malicious loader DLL file, and sodom.txt, which contains command and control configuration. Next, the macro runs GUP.exe and libcurl.dll separately, thus executing LookBack.
The RAT is written in C++ and relies on a proxy to relay data to the C&C. The malware can enumerate services running on the machine, view process/system/file data, delete files, execute commands, take screenshots, use the mouse, reboot the machine, and remove itself from the infected host.
Proofpoint has identified the following malware components: C&C proxy tool (referred to as GUP), malware loader (libcurl.dll capable of executing shellcode), communications module (referred to as SodomNormal), and backdoor component (referred to as SodomMain).
GUP, which has a hardcoded configuration, sets up a TCP listener on localhost and receives encoded data via requests from SodomNormal, which it then forwards to the C&C IP via HTTP.
A version of the legitimate libcurl.dll library, the malware loader contains a modified exported function to extract a resource within the library, decrypt data from it, and load the resulting DLL to execute a malicious function. During the infection phase, the malicious macro installing the malware sets up a Registry Run key to achieve persistence for libcurl.dll.
The communications module, which transmits data gathered by the RAT to the proxy tool, runs within the libcurl.dll loader as a loaded DLL. The module attempts to retrieve its configuration from a file, but reverts to a hardcoded config if that file is not available.
The backdoor module can send and receive numerous commands, such as Get process listing, Kill process, Executes cmd[.] exe command, Gets drive type, Find files, Read files, Delete files, Write to files, Execute files, Enumerate services, Starts services, Delete services, Takes a screenshot of desktop, Move/Click Mouse and take a screenshot, Exit, Removes self (libcurl[.] dll), Shutdown, and Reboot.
Although there are artifacts linking it to APT10 assaults on Japanese corporations in 2018, “the LookBack malware has not previously been associated with a known APT actor and that no additional infrastructure or code overlaps were identified to suggest an attribution to a specific adversary,” Proofpoint says.