24 September 2019

At least 17 US utility companies hit by state-sponsored LookBack phishing attack

At least 17 US utility companies hit by state-sponsored LookBack phishing attack

A spearphishing campaign first observed in July 2019 targeting 3 US utility firms with the LookBack remote access trojan (RAT) has evolved its tactics and extended its target list to include more than dozen companies, according to a new Proofpoint research.

The first wave of spearphishing emails was spotted by researchers between July 19 and July 25, 2019. The messages ostensibly sent from US National Council of Examiners for Engineering and Surveying contained a malicious Microsoft Word attachment that used macros to install the LookBack malware on victims’ computers. The malware includes a RAT module and a proxy mechanism used for command and control (C&C) communication. The LookBack RAT has an extensive set of functions, including the ability to view processes, system, and file data; delete files; execute commands and take screenshots; to move and click the mouse; to reboot the machine and delete itself from an infected host.

Now the Proofpoint team has identified a new wave of campaign, taking place between Aug. 21 and 29, which targeted additional U.S. companies in the utilities sector. Overall, since April 2019 the threat actor behind the attacks targeted at least 17 US utility firms, according to the report.

The campaign also used new TTPs [tactics, techniques and procedures], including an evolved macros, which researchers believe has been updated to bypass detection.

The recent wave of attacks was launched via spearphishing emails impersonating Global Energy Certification (GEC), an energy industry training and certification program. Like previous campaigns, the emails contained a malicious Microsoft Word document with a VBA macros which led to the installation of LookBack. However, the attackers added a new trick in the form of a legitimate and benign PDF file for a GEC handbook study guide likely in an attempt to convince potential victims that the document poses no harm.

While Proofpoint experts didn’t attribute the observed attack to any particular hacker group, they believe that this campaign could be the work of a state-sponsored APT actor based on overlaps with historical campaigns and macros utilized.

Back to the list

Latest Posts

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

The hacking group was planning a "devastating supply-chain attack" against a high-profile Asian mobile hardware and software manufacturer.
15 October 2019
FIN7 cybercriminal group returns with new tools and evasion techniques

FIN7 cybercriminal group returns with new tools and evasion techniques

The researchers discovered a new loader and a module that exploits the legitimate remote administration software used by the ATM maker NCR Corporation.
14 October 2019
New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

The Attor malware comes with some unusual capabilities including the use of encrypted modules, Tor-based communications, and a plugin designed for GSM fingerprinting.
11 October 2019
Featured vulnerabilities
Multiple vulnerabilities in ncurses
High Patched | 15 Oct, 2019
Cross-site scripting in NetCommons3
Low Not Patched | 15 Oct, 2019