Three US entities from the utility sector were targeted by a spear-phishing campaign which used a new malware that featured a remote access Trojan (RAT) module with the aim of giving attackers admin control of the infected systems.
The new malware called LookBack was discovered by researchers from Proofpoint's Threat Insight Team after analyzing phishing attacks and their malicious payloads.
In a blog post detailing their discovery, the researchers explained how the phishing emails impersonated a US-based engineering licensing board to appear as legitimate emails, saying:
- Businesses facing major threat from financial malware
- LinkedIn emails are hiding phishing scams
- Major rise in password-stealing malware detected
“The phishing emails appeared to impersonate a US-based engineering licensing board with emails originating from what appears to be an actor-controlled domain, nceess[.]com. Nceess[.]com is believed to be an impersonation of a domain owned by the US National Council of Examiners for Engineering and Surveying. The emails contain a malicious Microsoft Word attachment that uses macros to install and run malware that Proofpoint researchers have dubbed “LookBack.”
LookBack malware
The phishing emails, which the utilities received on July 19 and July 25, were all sent from ncess.com which the attackers controlled but Proofpoint also discovered that they were impersonating several other US engineering and electric licensing bodies with fraudulent domains. Since only one of the domains was used in these recent spear-phishing attacks, there is high probability that other campaigns using similar tactics will be launched in the future.
The malware dropped by the phishing campaign is a remote access Trojan developed in C++ which would allow the attackers to completely take control of the compromised machines once they were infected.
According to Proofpoint, the LookBack remote access Trojan would aid the attackers in enumerating services, viewing process, system and file data, deleting files and executing commands, taking screenshots, moving and clicking the mouse and it could even reboot the machine and delete itself from an infected host.
The LookBack malware also contained multiple components including a command and control proxy tool called GUP, a malware loader, a communications module and a remote access Trojan component.
Proofpoint also noted that the spear-phishing attack launched against US utilities may be the work of a state-sponsored advanced persistent threat (APT) actors because of overlaps with other historical campaigns and macros utilized.
- We've also highlighted the best anti-malware software
