Spear phishing emails were identified targeting three U.S. companies in the utilities sector between July 19 and July 25, researchers said.
Phishing emails appeared to impersonate a U.S.-based engineering licensing board with emails originating from what appears to be an actor-controlled domain, nceess[.]com, said researchers Michael Raggi and Dennis Schwarz with the Proofpoint Threat Insight Team.
Nceess[.]com is believed to be an impersonation of a domain owned by the U.S. National Council of Examiners for Engineering and Surveying. The emails contain a malicious Microsoft Word attachment that uses macros to install and run malware that Proofpoint researchers called “LookBack.”
“This malware consists of a remote access Trojan (RAT) module and a proxy mechanism used for command and control (C&C) communication,” Raggi and Schwarz said in a post. “We believe this may be the work of a state-sponsored APT actor based on overlaps with historical campaigns and macros utilized. The utilization of this distinct delivery methodology coupled with unique LookBack malware highlights the continuing threats posed by sophisticated adversaries to utilities systems and critical infrastructure providers.”
Emails delivered on July 19 and July 25 purported to be a failed examination result from the NCEES (National Council of Examiners for Engineering and Surveying) and fraudulently utilized the NCEES logo, the researchers said. The email sender address and reply-to fields contained the impersonation domain nceess[.]com. Like the phishing domain, the email bodies impersonated member ID numbers and the signature block of a fictitious employee at NCEES. The Microsoft Word document attachment included in the email also invoked the failed examination pretense with the file name “Result Notice.doc.”
All emails originated from the IP address 79.141.168[.]137, which appears to be an actor-controlled IP utilized to host the phishing domain nceess[.]com. An examination of passive DNS and domain registration history for this domain identified additional domains that appeared to be actor registered, which also impersonated engineering and electric licensing bodies in the U.S., the researchers said. Among these domains, only nceess[.]com was observed in active phishing campaigns targeting utility companies.
The phishing messages were found to contain a Microsoft Word document attachment that uses VBA macros to install LookBack malware. When the attachment is executed, the malicious VBA macro within the Microsoft Word attachment drops three Privacy Enhanced Mail (PEM) files to the host: tempgup.txt, tempgup2.txt, and tempsodom.txt. Additionally, the file Temptcm.tmp, which is a version of certutil.exe, is dropped to decode the PEM files using Temptcm.tmp. The macro next creates a copy of the decoded PEM files restoring their proper file extensions with the Windows essentuti.exe. tempgup.txt becomes GUP.exe, which impersonates the name of an open-source binary used by Notepad++; tempgup2.txt becomes libcurl.dll, a malicious loader DLL file; and tempsodom.txt becomes sodom.txt, which contains command and control configuration data utilized by the malware. Finally, the macro launches GUP.exe and the libcurl.dll loader separately, resulting in the execution of LookBack malware, the researchers said.
LookBack malware is a remote access Trojan written in C++ that relies on a proxy communication tool to relay data from the infected host to a command and control IP. Its capabilities include an enumeration of services; viewing of process, system, and file data; deleting files; executing commands; taking screenshots; moving and clicking the mouse; rebooting the machine and deleting itself from an infected host. The malware consists of the following components:
• A command and control proxy tool (referred to as GUP)
• A malware loader comprised of a legitimate libcurl.dll file with one export function modified to execute shellcode.
• A communications module (referred to as SodomNormal) which creates a C&C channel with the GUP proxy tool.
• A remote access Trojan component (referred to as SodomMain), which is delivered following decoding the initial beacon response received via the GUP proxy tool and the SodomNormal local host proxy module.
Similar to 2018 Campaign
Analysts identified similarities between the macros utilized in this campaign and historic APT campaigns targeting Japanese corporations in 2018. Moreover, LookBack utilizes an encoded proxy mechanism for C&C communication that resembles a historic TTP utilized in those campaigns. However, analysts note LookBack malware has not previously been associated with a known APT actor and that no additional infrastructure or code overlaps were identified to suggest an attribution to a specific adversary.
The detection of a new malware family delivered using phishing tactics once used by known APT adversaries highlights a continuing global risk from nation-state actors. While definitive attribution in this instance requires further study of infrastructure, toolsets, and methodologies, the risk that these campaigns pose to utilities providers is clear.
The profile of this campaign is indicative of specific risk to U.S.-based entities in the utilities sector. Phishing emails leveraged the knowledge of the licensing bodies utilized within the utilities sector for social engineering purposes that communicated urgency and relevance to their targets.