Researchers believe that nation-state actors are behind several spearphishing campaigns targeting U.S. utility companies with a newly-identified malware, which has the capabilities to view system data and reboot machines.
Lure emails were sent to three U.S. utilities companies between July 19 and 25. They purported to be from a U.S.-based engineering licensing board, but actually contained a malicious attachment that, once opened, installed and ran a never-before-seen remote access trojan (RAT) dubbed LookBack.
“We believe this may be the work of a state-sponsored APT actor, based on overlaps with historical campaigns and macros utilized,” said Proofpoint researchers, in a Thursday analysis. “The utilization of this distinct delivery methodology, coupled with unique LookBack malware, highlights the continuing threats posed by sophisticated adversaries to utilities systems and critical infrastructure providers.”
The APT is unnamed at this time due to ongoing investigations.
Researchers told Threatpost that the emails with malicious attachments were blocked before they could infect the unnamed utilities companies.
The phishing emails purported to be a failed examination result from the National Council of Examiners for Engineering and Surveying (NCEES), an American nonprofit that handles professional licensing for engineers and surveyors. The emails utilized the NCEES logo, and the sender address and reply-to fields featured an impersonated domain, nceess[.]com (designed to look like the NCEES domain but adding an “s” at the end).
“Like the phishing domain, the email bodies impersonated member ID numbers and the signature block of a fictitious employee at NCEES. The Microsoft Word document attachment included in the email also invoked the failed examination pretense with the file name ‘Result Notice.doc,'” researchers said.
The email claims that the company has not achieved a passing score on a recent NCEES exam and instructs the victim to open an attachment labeled “Result Notice” for information on how to proceed with the licensing process in their state. In reality, the attached malicious Microsoft Word document uses VBA macros to install the LookBack malware.
LookBack is a RAT written in C++ that relies on a proxy communication tool to relay data from the infected host to the command-and-control server (C2). The malware has capabilities to view process, system and file data; delete files; take screenshots; move and click the infected system’s mouse; reboot machines; and delete itself from an infected host.
The malware is comprised of several components, including a C2 proxy tool (dubbed GUP proxy tool), a malware loader, a communications module (called SodomNormal) to create the C2 channel with the GUP proxy tool, and a RAT component (called SodomMain) to decode the initial beacon response received from the GUP proxy tool.
Sherrod DeGrippo, senior director of Threat Research and Detection at Proofpoint, told Threatpost that she could not disclose particular attributions at this time due to ongoing investigations, but researchers identified similarities between this recent malware campaign and previous APT campaigns that targeted Japanese corporations in 2018.
For instance, the macros utilized in these campaigns were similar and LookBack uses an encoded proxy mechanism for command and control communication resembling the TTP utilized in the 2018 campaigns.
“That said, our analysts did not observe additional code overlap or infrastructure reuse that would cement attribution to a known APT group,” she said.
She added, “The detection of the newly identified LookBack malware, which was deployed using macros that are similar to those once used by known APT adversaries, highlights a continuing global risk from nation-state actors and the importance of protecting individual employees from targeted attacks.”
Utilities and critical infrastructure continue to be a concern for the security space, as the implications of a potential attack could lead to not just a data breach but human safety. Making matters worse, more APT groups are targeting industrial control systems and critical infrastructure to cause a higher level of damage. And, new vulnerabilities are being found to make their jobs easier.
“Utility companies provide and safeguard many critical pieces of infrastructure including electricity, gas and water,” said DeGrippo. “The risks facing utility companies, and their individual employees, are widespread and a successful attack could have extensive implications across both the private and public sectors. These attacks are sophisticated, clearly leveraging extensive research and industry knowledge by an actor who has investigated and collected data on individual targets and NCEES.”
Infrastructure attacks will be a focus next week at Black Hat 2019, taking place Aug. 7 and 8 in Las Vegas. Be sure to follow all of our Black Hat and DEF CON 27 coverage right here in Threatpost’s special coverage section.