Threat Management, Critical Infrastructure Security, Threat Management, Threat Intelligence, Malware, Phishing

Second phishing campaign featuring LookBack malware targets U.S. utilities

A malicious threat actor continued to target the U.S. utilities sector with LookBack malware last August, launching a new phishing campaign that targeted organizations with emails impersonating a certification test administrator.

Discovered earlier this year by researchers at Proofpoint, LookBack includes a proxy mechanism and a remote access trojan module. In July, the attackers behind LookBack tried to spread it to utility companies via phishing emails that attempted to trick recipients into thinking they failed a professional license exam for engineers and surveyors.

Like that earlier scheme, the August phishing campaign attempted to infect victims via Microsoft Word documents containing obfuscated VBA macros. In this latest case, the email message featured an invitation to take the Energy Research and Intelligence Institution's Global Energy Certification exam. The fraudulent email borrowed the legit GEC logo and was sent from a spoofed domain that looked similar to the real domain, except that it used the wrong top-level domain.

From June 12 through July 30, the fake domain was hosted by an IP address that was also used in the July LookBack phishing campaign.

The emails contained two attachments: the weaponized Word document, and a benign and authentic exam study guide in PDF format, included to feign legitimacy, the Proofpoint Threat Insight Team explained yesterday in a company blog post authored by Michael Raggi, senior threat research engineer.

The campaign lasted between Aug. 21 and Aug. 29, but two weeks before this activity started, the threat actors used a staging IP to perform reconnaissance scanning against prospective targets. The scanning specifically targeted SMB over IP via port 445, Proofpoint noted.

According to Proofpoint, LookBack malware can enumerate services; view of process, system, and file data; delete files; execute commands; take screenshots; manipulate the mouse; reboot machines and delete itself.

"Newly discovered LookBack campaigns observed within the U.S. utilities sector provides insight into an ongoing APT campaign with custom malware and a very specific targeting profile," Raggi concluded. "The threat actors demonstrate persistence when intrusion attempts have been foiled and appear to have been undeterred by publications describing their toolset."

Citing Proofpoint's findings, a Sept. 23 report from Forbes states that the most likely suspect behind the LookBack attacks is APT10, an advanced persistent threat group widely linked to Chinese government-sponsored hackers.

SC Media inquired with Proofpoint to see if its researchers could validate this theory. "While we cannot disclose particular attribution at this time due to ongoing investigations, the evolution of TTPs including updated macros demonstrates a further departure from tactics previously employed by known APT groups," said Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. "However, the sophistication seen in this campaign and the targeting of the utilities sector has the hallmarks of a nation-state sponsor. Our analysts did not observe additional code overlap or infrastructure reuse that would cement attribution to a known APT group."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.