This post was updated on March 3, 2020.
On August 1, security researchers at Proofpoint reported the details of a spearphishing campaign targeting three different United States utility companies using a malware called “LookBack.” The spearphishing emails, sent between July 19 and July 25, contained a malicious Microsoft Word attachment that installed a Remote Access Trojan (RAT) capable of performing activities like deleting files, taking screenshots, rebooting machines, and then deleting itself from an infected network.
While Prooftpoint was able to confirm the presence of LookBack malware at three companies, it is likely that the malware has infected other organizations as well. The emails used in the spearphishing campaign falsely appeared to be from the National Council of Examiners for Engineering and Surveying (NCEES), an American nonprofit organization that handles professional licensing for engineers and surveyors. Even fraudulently using the NCEES logo, the emails included Word documents embedded with malicious micros that, once opened, installed and ran the never-before-seen RAT.
Researchers told Threatpost that the emails were blocked before they could infect the unnamed utility companies.
How LookBack Works
According to the report by Proofpoint, LookBack is a RAT that relies on a proxy communication tool to relay data from the infected host to a command-and-control server (C2). The malware can view process, system and file data; delete files; take screenshots; move and click the infected system’s mouse; reboot machines; and delete itself from an infected host.
Researchers said that the LookBack spearphishing campaign used tactics once used by known APT adversaries targeting Japanese corporations in 2018 – which highlights the rapidly evolving nature of malware and its use by nation-state actors.
The Microsoft Word document attached to the phishing emails contains a VBA macro that drops three different Privacy Enhanced Mail (PEM) files when executed. Certutil.exe is then dropped to decode PEM files, which are later restored to their true extensions using essentuti.exe. The files then impersonate the name of an open-source binary used by common tools like Notepad++, which contains the C2 configuration. Finally, the macro runs GUP.exe and libcurl.dll to execute the LookBack malware. Once executed, LookBack can send and receive numerous commands, such as Find files, Read files, Delete files, Write to files, Start services, and more.
Has Your Organization Been Exposed to LookBack? Here’s How to Detect It.
Due to the nature of the threat, it’s important to have multiple controls in place to detect the activities related. This includes continuous security awareness training for employees and personnel to help them better identify fake and malicious emails. But beyond SPAM filters and firewalls, Nozomi Networks Labs recommends the use of both anomaly detection technologies to identify unusual behavior, and the use of traditional threat detection capabilities to provide additional context around suspicious actors related to known threats.
Within 24 hours of the announcement of this attack, the Nozomi Networks Labs team added new rules and signatures to the Threat Intelligence to help detect LookBack in your environment. This means that alerts will now be triggered for suspicious activity related to the known threat, LookBack, so that you can detect and remediate quickly. For customers using Threat Intelligence, please make sure that your systems are running the latest version (from August 2, 2019) to enable these new rules.
If you’d like to learn more about LookBack, we encourage you to register at the link below for next week’s webinar. With cyberthreats against utilities continuing to rise, LookBack is just another reminder that there’s still much work to be done as utility companies continue to strengthen their cybersecurity.