A spearphishing campaign first observed in July 2019 targeting 3 US utility firms with the LookBack remote access trojan (RAT) has evolved its tactics and extended its target list to include more than dozen companies, according to a new Proofpoint research.

The first wave of spearphishing emails was spotted by researchers between July 19 and July 25, 2019. The messages ostensibly sent from US National Council of Examiners for Engineering and Surveying contained a malicious Microsoft Word attachment that used macros to install the LookBack malware on victims’ computers. The malware includes a RAT module and a proxy mechanism used for command and control (C&C) communication. The LookBack RAT has an extensive set of functions, including the ability to view processes, system, and file data; delete files; execute commands and take screenshots; to move and click the mouse; to reboot the machine and delete itself from an infected host.

Now the Proofpoint team has identified a new wave of campaign, taking place between Aug. 21 and 29, which targeted additional U.S. companies in the utilities sector. Overall, since April 2019 the threat actor behind the attacks targeted at least 17 US utility firms, according to the report.

The campaign also used new TTPs [tactics, techniques and procedures], including an evolved macros, which researchers believe has been updated to bypass detection.

The recent wave of attacks was launched via spearphishing emails impersonating Global Energy Certification (GEC), an energy industry training and certification program. Like previous campaigns, the emails contained a malicious Microsoft Word document with a VBA macros which led to the installation of LookBack. However, the attackers added a new trick in the form of a legitimate and benign PDF file for a GEC handbook study guide likely in an attempt to convince potential victims that the document poses no harm.

While Proofpoint experts didn’t attribute the observed attack to any particular hacker group, they believe that this campaign could be the work of a state-sponsored APT actor based on overlaps with historical campaigns and macros utilized.