A spearphishing campaign, first spotted in July targeting three U.S. utility companies with a new malware variant, has evolved its tactics and extended its targeting to include nearly 20 companies.
The campaign was first discovered in phishing emails, sent between July 19 and 25, which targeted utility companies with malicious attachments attempting to spread the new malware variant LookBack. The malware has capabilities to view system data and reboot machines.
Researchers with Proofpoint have now identified a more recent wave of the campaign, taking place between Aug. 21 and 29, which targeted additional U.S. companies in the utilities sector. The campaign also used new TTPs [tactics, techniques and procedures], including an evolved macros, which researchers believe has been updated to bypass detection.
“Newly discovered LookBack campaigns observed within the US utilities sector provides insight into an ongoing APT campaign with custom malware and a very specific targeting profile,” said Michael Raggi with Proofpoint in a Monday analysis. “The threat actors demonstrate persistence when intrusion attempts have been foiled and appear to have been undeterred by publications describing their toolset.”
At this point, researchers have now identified at least 17 entities in the US utilities sector targeted by these actors from Apr. 5 through Aug. 29, 2019.
Campaign Targeting
Like previous attacks, the newer wave of attacks are launched through spearphishing emails impersonating a licensing body related to the utilities sector – in this case, masquerading behind a domain (globalenergycertification[.]net) that spoofs the legitimate domain (globalenergycertification[.]org) and uses a legitimate logo for Global Energy Certification (GEC), an energy industry training and certification program.
Example of a spearphishing email used in campaign.
The emails purported to be a certification program online examination and included the subject line “Take the exam now” as well as a malicious Microsoft Word document attachment named “take the exam now.doc.”
Unlike previous campaigns, the bad actors added a new trick where they also attach a legitimate PDF file for a GEC handbook study guide that is not malicious, which could trick users into thinking that the Word document is also safe to open.
“This file, like that used in the initial LookBack campaigns, contained VBA macros which led to the installation of LookBack. Unlike earlier campaigns, actors attached a legitimate and benign PDF file for exam preparation which was also hosted on the legitimate GEC site,” researchers said. “It is likely that this represents social engineering efforts by the actors to legitimize the email to recipients.”
Evolution of Macros
The malicious file contained VCA macros which install the LookBack malware.
LookBack is a RAT written in C++ that relies on a proxy communication tool to relay data from the infected host to the command-and-control server (C2). The malware has capabilities to view process, system and file data; delete files; take screenshots; move and click the infected system’s mouse; reboot machines; and delete itself from an infected host.
The malware is comprised of several components, including a C2 proxy tool (dubbed GUP proxy tool), a malware loader, a communications module (called SodomNormal) to create the C2 channel with the GUP proxy tool, and a RAT component (called SodomMain) to decode the initial beacon response received from the GUP proxy tool.
The macros in the most recent campaign has been updated, researchers said. The earlier, July version of the macro, once downloaded, would create macro variables that are contained in three files (pense1.txt, pense2.txt, and pense3.txt).
Once the Word document is opened and macros are enabled, these variables are referred to for pointing Macros modules to specific functions. For instance, variables in the pense1.txt folder are specific to the creation of the GUP proxy tool.
In contrast, these three files containing the macro variables are replaced with 9 variable files. While two files remain constant (pense1.txt and pense2.txt) the third (pense3.txt) is replaced with seven additional PEM files that are each run alongside the Pense2.txt files individually.
“Analysts have not determined the reason for altering this macro but speculate that by increasing the number of variable files and maintaining the core functionality of the macro, actors are attempting to further obfuscate this installation method to avoid detection,” researchers said.
[For more information about LookBack malware see Threatpost’s video interview with Proofpoint below]
Actors also appear to be using a new IP address; emails in this most recent campaign originate from the IP address 79.141.169[.]3. Upon further investigation of the domain registration history for the domain utilized [globalenergycertification[.]net], researchers found it was previously hosted by the IP 103.253.41[.]75 – used to host domains in previous LookBack phishing campaigns.
While the threat actors appear to be evolving their TTPs, which “demonstrates a further departure from tactics previously employed by known APT groups,” researchers warned that “at the current moment, the creators of LookBack malware are yet to depart from their persistent focus on critical infrastructure providers in the United States.”
Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.
