Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

New “LookBack” Malware Used in Attacks Against U.S. Utilities Sector

A series of phishing attacks have been targeting U.S. companies in the utilities sector in an effort to infect systems with a new remote access Trojan (RAT), Proofpoint reports.

A series of phishing attacks have been targeting U.S. companies in the utilities sector in an effort to infect systems with a new remote access Trojan (RAT), Proofpoint reports.

Sent on July 19  and July 25, the phishing emails had Word documents attatched that contained malicious macros designed to deploy and execute LookBack, a new RAT that uses a proxy mechanism for command and control (C&C) communication. 

Proofpoint said it detected the attacks against three separate companies, but it is likely that the group behind the attacks have targeted other entities beyond Proofpoint’s scope.

Cyber Attacks against Utilities with LookBack malwareThe fraudulent emails were sent from the attacker-controlled domain nceess[.]com, which appears to be an impersonation of a domain owned by the US National Council of Examiners for Engineering and Surveying. The messages purported to be from a US-based engineering licensing board. 

The attacks, Proofpoint says, are likely the work of a state-sponsored threat actor, given the utilized macros and overlaps with previously observed campaigns attributed to Chinese cyber-espionage group APT10. However, LookBack hasn’t been attributed to a specific adversary yet. 

The Word document attached to the phishing emails contains a VBA macro that drops three different Privacy Enhanced Mail (PEM) files when executed. A version of certutil.exe is also dropped, to decode the PEM files, after which these files are restored to their proper extensions using essentuti.exe.

These files then become GUP.exe, impersonating the name of an open-source binary used by Notepad++, libcurl.dll, a malicious loader DLL file, and sodom.txt, which contains command and control configuration. Next, the macro runs GUP.exe and libcurl.dll separately, thus executing LookBack. 

The RAT is written in C++ and relies on a proxy to relay data to the C&C. The malware can enumerate services running on the machine, view process/system/file data, delete files, execute commands, take screenshots, use the mouse, reboot the machine, and remove itself from the infected host. 

Proofpoint has identified the following malware components: C&C proxy tool (referred to as GUP), malware loader (libcurl.dll capable of executing shellcode), communications module (referred to as SodomNormal), and backdoor component (referred to as SodomMain).

GUP, which has a hardcoded configuration, sets up a TCP listener on localhost and receives encoded data via requests from SodomNormal, which it then forwards to the C&C IP via HTTP. 

A version of the legitimate libcurl.dll library, the malware loader contains a modified exported function to extract a resource within the library, decrypt data from it, and load the resulting DLL to execute a malicious function. During the infection phase, the malicious macro installing the malware sets up a Registry Run key to achieve persistence for libcurl.dll.  

The communications module, which transmits data gathered by the RAT to the proxy tool, runs within the libcurl.dll loader as a loaded DLL. The module attempts to retrieve its configuration from a file, but reverts to a hardcoded config if that file is not available. 

The backdoor module can send and receive numerous commands, such as Get process listing, Kill process, Executes cmd[.] exe command, Gets drive type, Find files, Read files, Delete files, Write to files, Execute files, Enumerate services, Starts services, Delete services, Takes a screenshot of desktop, Move/Click Mouse and take a screenshot, Exit, Removes self (libcurl[.] dll), Shutdown, and Reboot.

Although there are artifacts linking it to APT10 assaults on Japanese corporations in 2018, “the LookBack malware has not previously been associated with a known APT actor and that no additional infrastructure or code overlaps were identified to suggest an attribution to a specific adversary,” Proofpoint says. 

Learn More at SecurityWeek’s ICS Cyber Security Conference

Related: Hackers Behind ‘Triton’ Malware Target Electric Utilities in US, APAC

Related: Iran-Linked Actor Targets U.S. Electric Utility Firms

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...