A malicious threat actor continued to target the U.S. utilities sector with LookBack malware last August, launching a new phishing campaign that targeted organizations with emails impersonating a certification test administrator.

Discovered earlier this year by researchers at Proofpoint, LookBack includes a proxy mechanism and a remote access trojan module. In July, the attackers behind LookBack tried to spread it to utility companies via phishing emails that attempted to trick recipients into thinking they failed a professional license exam for engineers and surveyors.

Like that earlier scheme, the August phishing campaign attempted to infect victims via Microsoft Word documents containing obfuscated VBA macros. In this latest case, the email message featured an invitation to take the Energy Research and Intelligence Institution's Global Energy Certification exam. The fraudulent email borrowed the legit GEC logo and was sent from a spoofed domain that looked similar to the real domain, except that it used the wrong top-level domain.

From June 12 through July 30, the fake domain was hosted by an IP address that was also used in the July LookBack phishing campaign.

The emails contained two attachments: the weaponized Word document, and a benign and authentic exam study guide in PDF format, included to feign legitimacy, the Proofpoint Threat Insight Team explained yesterday in a company blog post authored by Michael Raggi, senior threat research engineer.

The campaign lasted between Aug. 21 and Aug. 29, but two weeks before this activity started, the threat actors used a staging IP to perform reconnaissance scanning against prospective targets. The scanning specifically targeted SMB over IP via port 445, Proofpoint noted.

According to Proofpoint, LookBack malware can enumerate services; view of process, system, and file data; delete files; execute commands; take screenshots; manipulate the mouse; reboot machines and delete itself.

"Newly discovered LookBack campaigns observed within the U.S. utilities sector provides insight into an ongoing APT campaign with custom malware and a very specific targeting profile," Raggi concluded. "The threat actors demonstrate persistence when intrusion attempts have been foiled and appear to have been undeterred by publications describing their toolset."

Citing Proofpoint's findings, a Sept. 23 report from Forbes states that the most likely suspect behind the LookBack attacks is APT10, an advanced persistent threat group widely linked to Chinese government-sponsored hackers.

SC Media inquired with Proofpoint to see if its researchers could validate this theory. "While we cannot disclose particular attribution at this time due to ongoing investigations, the evolution of TTPs including updated macros demonstrates a further departure from tactics previously employed by known APT groups," said Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. "However, the sophistication seen in this campaign and the targeting of the utilities sector has the hallmarks of a nation-state sponsor. Our analysts did not observe additional code overlap or infrastructure reuse that would cement attribution to a known APT group."