LTS Secure Warning: Phishing Attack Being Utilized To Incapacitate US Utilities Sector Using LookBack Malware

A new piece of malware dubbed as LookBack, is being utilized by its creators to cripple utilities sectors in the US. The emails used in the phishing campaign were sent to the victims by a domain nceess.com– controlled by the attackers, which helped them pose as the US National Council of Examiners for Engineering and Surveying, assuring the victims do take the mail seriously.

 

Technical Details

The malware is written in C++ & relies on proxy to deliver data from the infected device to C&C server.

The infection process starts when the victim opens the Microsoft word document attached in the phishing mail. Upon execution, a VBA macro inside the DOC drops 3 PEM (privacy enhanced mail) files upon execution. Along with the PEM files, certutil.exe is also being dropped, to help decode the PEM files. Once decoded, these files are returned to their proper extension with the help of essentuti.exe.

Now, these files pose as an open-source binary, which are being used by tools like Notepad++, which have the configuration of C&C. After this, this macro runs GUP.exe & libcurl.dll to shot the LookBack malware on the victim device.

 

Impact

  • List out the process running and kill them, if needed so.
  • Execute CMD commands.
  • Ability to Enumerate, Start, Delete services.
  • Can find, read, write, delete, and execute files.
  • Take screenshots of desktops.

 

Recommended Actions

  • Avoid Opening emails & attachments from unknown senders.
  • Take an effort to educate your users on how to identify a mal-spam.
  • Always update your anti-virus software with the latest releases.
  • Periodically run “full system scan” on your endpoints.
  • Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.