Three U.S. firms in the utility sector were hit with a spear phishing campaign in mid-July with the emails containing a malicious Word document that can contain and can install the new remote access trojan LookBack.
The Proofpoint Threat Insight Team’s initial take is the attack was the work of a nation-state sponsored actor based on the macro used and comparing it to other previous attacks conducted by such groups.
The social engineering behind the emails, which were sent between July 19-25 makes it appear as if the correspondence comes from a domain owned by the U.S. National Council of Examiners for Engineering and Surveying and includes that organization’s logo. The email itself pretends to contain a failed examination result from the National Council of Examiners for Engineering and Surveying, a subject likely to pique someone’s interest and be opened, Proofpoint said.
“The email sender address and reply-to fields contained the impersonation domain nceess[.]com. Like the phishing domain, the email bodies impersonated member ID numbers and the signature block of a fictitious employee at NCEES. The Microsoft Word document attachment included in the email also invoked the failed examination pretense with the file name ‘Result Notice.doc,’” Proofpoint wrote.
Once installed on a machine LookBack, which is written in C++ is able to conduct several tasks. This includes listing of services; viewing of process, system, and file data; deleting files; executing commands; taking screenshots; moving and clicking the mouse; rebooting the machine and deleting itself from an infected host.