Utilities come under attack in new LookBack spearphishing campaign

News by Rene Millman

Spear-phishing emails containing a malicious Microsoft Word attachment that installs RAT are specifically targetting utilities in a new campaign.

Utilities have come under attack from a new sophisticated, potentially state-sponsored hacking campaign using spearphishing emails.
According to a blog post by security researchers at Proofpoint, the emails contain a malicious Microsoft Word attachment that uses macros to install and run malware that Proofpoint researchers have dubbed "LookBack" which contains a Remote Access Trojan capable of deleting files, taking screenshots, rebooting a machine, and deleting itself from an infected network, among other attributes.
The attacks took place between 19 and 25 July this year with several spear phishing emails identified?targeting three US companies in the utilities sector. The Microsoft Word document attachment included in the email also?invoked the failed examination pretence with the file name "Result Notice.doc."??
When the attachment is executed, the malicious VBA macro within the Microsoft Word attachment drops three Privacy Enhanced Mail (PEM) files to the host: tempgup.txt, tempgup2.txt, and tempsodom.txt. Additionally, the file?Temptcm.tmp,?which is a version of certutil.exe,?is dropped to decode the PEM files using?Temptcm.tmp. 
Researchers said that the detection of a new malware family delivered using phishing?tactics once used by known APT adversaries highlights a continuing global risk from nation-state actors. Phishing emails leveraged the knowledge of the licensing bodies utilised within the utilities sector for social engineering purposes that communicated urgency and relevance to their targets.
They added that there were similarities between the macros used in this campaign and historic APT campaigns?targeting Japanese corporations in 2018. Historically this has suggested a Chinese attacker.
"In the attachments identified as part of the July 2019 campaigns, threat actors appeared to utilise many concatenation commands within the macro to obfuscate the VBA function. It is possible these concatenations were an attempt to evade static signature detection for the macro strings while maintaining the integrity of the installation mechanism, which had been historically been used to?target different sectors and geographies," researchers said.
Researchers added that persistent targeting of any entity that provides critical infrastructure should be considered an acute risk with a potential impact beyond the immediate targets.
"Since so many other individuals and sectors rely on these services to remain operational safeguarding them is paramount," they added.
Matt Aldridge, senior solutions architect at Webroot, told SC Media UK that this highly targeted phishing technique or ‘spear phishing’ is presenting itself as a huge risk to companies across the board.
"Users need to be vigilant when they spot an email that doesn’t seem quite right. Misspelled URLs, requests for sensitive information that might not be of essential use to a company chief or lack of personal greeting should raise suspicions and it is critical that employees double-check before responding," he said.
Bromium EMEA CTO Fraser Kyne, told SC Media UK that for many organisations, employee education is the natural solution to reducing this risk. 
"However, as email phishing campaigns become more convincing, even experienced security professionals can be duped, so training alone can never be a silver bullet. Relying solely on education to tackle email threats is dangerous because any gap in knowledge or minor oversight could mean one well-targeted phishing attack could bring a business to its knees," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews