U.S. utilities are being targeted in a phishing campaign distributing a new malware variant called LookBack. The spear phishing campaign impersonates a U.S. engineering licensing board and lures recipients into opening an attached Word document.
The emails impersonate the U.S. National Council of Examiners for Engineering and Surveying (NCEES) and claim that the recipient has failed an NCEES examination. Further information about the result of the examination is detailed in an attached Word document called Result Notice.doc.
The document contains a VBA macro that downloads a new malware variant consisting of a remote access Trojan, a proxy tool, malware loader, and communications module for communicating with its command and control server. The emails were sent from a domain that impersonated NCEES – nceess[dot]com and the emails included the correct NCEES logo.
The RAT is written in C++ and is capable of finding, reading, deleting, writing to, and executing files, starting and stopping services, enumerating services, taking screenshots, and performing mouse moves and clicks. The malware can delete itself and can force a shutdown or reboot.
The malware was intercepted and analyzed by security researchers at Proofpoint who noted similarities in the macros and malware code to past attacks by state-sponsored APT groups on companies in Japan 2018. Further information on the APT group and nation-state suspected of being behind the attacks have not yet been released, pending further investigation. The 2018 attacks were attributed to the Chinese cyber espionage group APT10 by researchers at FireEye, although no concrete links have been found between that group and the latest attacks
The campaign targeted three utilities firms in the United States between July 19 and July 25, and in all instances the malware was intercepted and neutralized.
“The risks facing utility companies, and their individual employees, are widespread and a successful attack could have extensive implications across both the private and public sectors,” said Sherrod DeGrippo, senior director of Threat Research and Detection, Proofpoint. “These attacks are sophisticated, clearly leveraging extensive research and industry knowledge by an actor who has investigated and collected data on individual targets and NCEES.”