Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

New “LookBack” Malware Used in Attacks Against U.S. Utilities Sector

A series of phishing attacks have been targeting U.S. companies in the utilities sector in an effort to infect systems with a new remote access Trojan (RAT), Proofpoint reports.

A series of phishing attacks have been targeting U.S. companies in the utilities sector in an effort to infect systems with a new remote access Trojan (RAT), Proofpoint reports.

Sent on July 19  and July 25, the phishing emails had Word documents attatched that contained malicious macros designed to deploy and execute LookBack, a new RAT that uses a proxy mechanism for command and control (C&C) communication. 

Proofpoint said it detected the attacks against three separate companies, but it is likely that the group behind the attacks have targeted other entities beyond Proofpoint’s scope.

Cyber Attacks against Utilities with LookBack malwareThe fraudulent emails were sent from the attacker-controlled domain nceess[.]com, which appears to be an impersonation of a domain owned by the US National Council of Examiners for Engineering and Surveying. The messages purported to be from a US-based engineering licensing board. 

The attacks, Proofpoint says, are likely the work of a state-sponsored threat actor, given the utilized macros and overlaps with previously observed campaigns attributed to Chinese cyber-espionage group APT10. However, LookBack hasn’t been attributed to a specific adversary yet. 

The Word document attached to the phishing emails contains a VBA macro that drops three different Privacy Enhanced Mail (PEM) files when executed. A version of certutil.exe is also dropped, to decode the PEM files, after which these files are restored to their proper extensions using essentuti.exe.

These files then become GUP.exe, impersonating the name of an open-source binary used by Notepad++, libcurl.dll, a malicious loader DLL file, and sodom.txt, which contains command and control configuration. Next, the macro runs GUP.exe and libcurl.dll separately, thus executing LookBack. 

The RAT is written in C++ and relies on a proxy to relay data to the C&C. The malware can enumerate services running on the machine, view process/system/file data, delete files, execute commands, take screenshots, use the mouse, reboot the machine, and remove itself from the infected host. 

Proofpoint has identified the following malware components: C&C proxy tool (referred to as GUP), malware loader (libcurl.dll capable of executing shellcode), communications module (referred to as SodomNormal), and backdoor component (referred to as SodomMain).

Advertisement. Scroll to continue reading.

GUP, which has a hardcoded configuration, sets up a TCP listener on localhost and receives encoded data via requests from SodomNormal, which it then forwards to the C&C IP via HTTP. 

A version of the legitimate libcurl.dll library, the malware loader contains a modified exported function to extract a resource within the library, decrypt data from it, and load the resulting DLL to execute a malicious function. During the infection phase, the malicious macro installing the malware sets up a Registry Run key to achieve persistence for libcurl.dll.  

The communications module, which transmits data gathered by the RAT to the proxy tool, runs within the libcurl.dll loader as a loaded DLL. The module attempts to retrieve its configuration from a file, but reverts to a hardcoded config if that file is not available. 

The backdoor module can send and receive numerous commands, such as Get process listing, Kill process, Executes cmd[.] exe command, Gets drive type, Find files, Read files, Delete files, Write to files, Execute files, Enumerate services, Starts services, Delete services, Takes a screenshot of desktop, Move/Click Mouse and take a screenshot, Exit, Removes self (libcurl[.] dll), Shutdown, and Reboot.

Although there are artifacts linking it to APT10 assaults on Japanese corporations in 2018, “the LookBack malware has not previously been associated with a known APT actor and that no additional infrastructure or code overlaps were identified to suggest an attribution to a specific adversary,” Proofpoint says. 

Learn More at SecurityWeek’s ICS Cyber Security Conference

Related: Hackers Behind ‘Triton’ Malware Target Electric Utilities in US, APAC

Related: Iran-Linked Actor Targets U.S. Electric Utility Firms

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...