Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management

LookBack Malware Campaign Spreads to More US Utilities

Proofpoint Researchers Say 17 Targeted in Phishing Campaign Since April

(Photo: Tony Webster via Flickr)

An ongoing campaign to spread a new type of malware dubbed LookBack among U.S.-based utilities is much more extensive than previously believed, with at least 17 companies targeted since April, Proofpoint researchers say.

See Also: Live Webinar | Cybersecurity in Healthcare Supply Chains: A CISO Perspective

The malware is spread through a spear-phishing campaign using stolen logos and other material from legitimate industry associations to entice victims to click on a malicious Microsoft Word attachment that conceals the LookBack Trojan, researchers say.

The campaign, which is targeting utilities throughout the U.S., was first spotted in April and has continued through at least the end of August, according to Proofpoint.

The researchers say this campaign appears to be the work of an advanced persistent threat group, but, so far, Proofpoint has not attributed the attacks to one particular group or a nation-state backer.

The motives behind the attacks also remain a mystery. LookBack is a versatile remote access Trojan, or RAT, capable of stealing data, deleting data, taking screenshots and other spying activities, says Sherrod DeGrippo, Proofpoint's senior director of threat research and detection.

"We can only speculate on secondary aims beyond initial infection, but the nature of the malware - a remote access Trojan - allows for a range of data exfiltration, potential remote control of infected devices and installation of additional malware," DeGrippo tells Information Security Media Group.

Anatomy of an Attack

As with many other malicious campaigns, the campaign using LookBack starts with a phishing email and a seemingly benign Word attachment.

The attackers make their phishing emails look like legitimate messages by incorporating logos and other materials from the Global Energy Certification - an organization that offers education certificates and training for those working in the energy industry. The threat actors use a domain in the phishing email that includes .net, while the legitimate Global Energy Certification website domain is listed as .org, according to Proofpoint.

Global Energy Certification-themed phishing email (Image: Proofpoint)

The email contains the message "Take the exam now," along with a Microsoft Word document - portrayed to look like a legitimate certification - that hides malicious Visual Basic for Applications macros, the Proofpoint researchers say. If a victim clicks that document, the LookBack malware is then installed within the infected machine and calls back to a command-and-control server.

LookBack includes a proxy tool used to communicate with the command-and-control server to send data back to the attackers, according to the Proofpoint analysis. It also includes a malware loader and a communications module that helps establish the link to the command-and-control server, researchers say.

The phishing emails are designed to bypass security defenses by the way the attachments are set up as well as the obfuscation code used to hide the macros, DeGrippo says. "The inclusion of non-malicious PDF attachments, code obfuscation and more, could certainly help attackers bypass some automated protections," he says.

In addition to some updates that the attackers made to the macros between July and August, the Proofpoint researchers say that whoever is behind this campaign is now scanning for open and vulnerable Microsoft SMB ports to identify potential targets up to two weeks before the initial intrusions begin, the researchers find.

These details seem to point to the work of an advanced persistent threat group.

"Visual Basic for Applications phishing macros in Microsoft Word attachments appeared to be updated versions of macros utilized previously to target Japanese corporations in 2018," DeGrippo says. "However, despite observing distinct similarities with historic [advanced persistent threat] campaigns, our analysts did not observe additional code overlap or infrastructure reuse that would cement attribution to a known APT group."

On the Lookout

The group behind this campaign has continued to target more utilities throughout the U.S. even though Proofpoint published a report on the campaign in August.

Proofpoint is contacting industry groups, such as Global Energy Certification, that might have had their logos and other materials spoofed by the attack group as part of the phishing campaign. In previous campaigns, the attacks have lifted material from the National Council of Examiners for Engineering and Surveying - a professional organization for engineers and surveyors.

There's also a possibility that the campaign is much larger than Proofpoint has been able to detect so far, DeGrippo warns.

Threats to Utilities

Other APT threats against utilities have been reported in recent months.

For example, in June, security firm Dragos described how a nation-state backed group it calls Xenotime has started switching targets from the oil and gas industry to electrical utilities and power plants in the U.S. as well as Asia (see: Xenotime Group Sets Sights on Electrical Power Plants).

DeGrippo says, however, that the campaign using LookBack is much more tailored compared to other types of phishing campaigns that are financially motivated.

"Generally, commodity crimeware campaigns are not vertically targeted and are not a good basis for comparison with potential APT activity," DeGrippo says. "Those financially motivated campaigns that are vertically targeted are typically not as sophisticated as this actor."