Remote Access Trojan Spear-Phishing Targets US Utility Firms

Seventeen utility firms across the USA were targeted by an unknown state-sponsored hacking group between early April and late August this year.

This new figure, as reported by Proofpoint, has been upgraded from three US utility companies (in an August 2 Proofpoint report) which had been targeted by spear-phishing emails sent between July 19 and July 25.

However, between August 21 and August 29 further spear-phishing emails were identified targeting more US utility companies.

According to the latest report, these emails "originated from what appears to be an actor-controlled domain: globalenergycertification[.]net - (which), like those used in previous campaigns, impersonated a licensing body related to the utilities sector. In this case, it masqueraded as the legitimate domain for Global Energy Certification (GEC). The emails include a GEC examination-themed body and a malicious Microsoft Word attachment that uses macros to install and run LookBack."

(Lookback is a remote access Trojan written in C++ that relies on a proxy communication tool to relay data from the infected host to a command and control IP. Its capabilities include viewing of process, system and file data; deleting files; executing commands; taking screenshots; moving and clicking the mouse; rebooting the maching and deleting itself from an infected host.)

Prior to the start of the phishing campaigns, threat actors conducted reconnaissance scanning against future targets utilizing a staging IP.

"Scanning activity targets SMB over IP via port 445 up to two weeks prior to the arrival of phishing emails," states the report. "Observed scanning IPs in some instances have also hosted phishing domains prior to their use in phishing campaigns."

The Aug 21 - 29 emails masqueraded as an invitation to take the GEC exam administered by the Energy Research and Intelligence Institution. The email used the GEC logo and the subject line 'Take the exam now' ... along with a malicious Microsoft Word document attachment named 'take the exam now.doc', which contained VBA macros that led to the installation of LookBack.

Once opened, the VBA macro installs several privacy-enhanced mail files on the host. Proofpoint found these to be both malware modules and macro variables.

"Tempgup.txt, tempgup2.txt, and tempsodom.txt are LookBack modules," states the report. "Additionally, the file Temptcm.tmp, which is a version of certutil.exe, is dropped concurrently and will be used to decode the initial files."

The macro then decodes the PEM files using Temptcm.tmp, then creates a copy of the decoded PEM files restoring their proper file extensions with the Windows essentuti.exe:

- Tempgup.txt becomes GUP.exe, the GUP Proxy tool.

- Tempgup2.txt becomes libcurl.dll, a malicious loader.

- Tempsodom.txt becomes sodom.txt, which contains command and control configuration data utilized by the SodomNormal module.

The report doesn't state which group is responsible for the attack, but mentions "an ongoing APT campaign with custom malware and a very specific targeting profile ... the creators of LookBack malware are yet to depart from their persistent focus on critical infrastructure providers in the United States."

(the August 2 Proofpoint report references another report that discusses how APT10, a Chinese cyber espionage group, used similar spear-phishing tactics on Japanese entities).

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.