A spear-phishing campaign targeted three US firms from the utility sector with a new malware featuring a remote access Trojan (RAT) module.
“Between July 19 and July 25, 2019, several spear-phishing emails were identified targeting three US companies in the utility sector,” Proofpoint researchers wrote in a report published Thursday. “The phishing emails appeared to impersonate a US-based engineering licensing board with emails originating from what appears to be an actor-controlled domain, nceess[.]com. Nceess[.]com is believed to be an impersonation of a domain owned by the US National Council of Examiners for Engineering and Surveying.
“The emails contain a malicious Microsoft Word attachment that uses macros to install and run malware that Proofpoint researchers have dubbed ‘LookBack.’ This malware consists of a remote access Trojan (RAT) module and a proxy mechanism used for command and control (C&C) communication.”
According to Proofpoint, the LookBack malware relies on a proxy communication tool to relay data from the infected host to a command and control IP. Its capabilities include an enumeration of services; viewing of process, system, and file data; deleting files; executing commands; taking screenshots; moving and clicking the mouse; rebooting the machine and deleting itself from an infected host.
Company researchers told Threatpost that the emails with malicious attachments were blocked before they could infect the unnamed utility companies.
“We believe this may be the work of a state-sponsored APT actor based on overlaps with historical campaigns and macros utilized,” the researchers said.