Suspected state-sponsored hacking group tried to break into US utilities

Researchers say the phishing attempts were spotted in July.

Cheap and years old: Creaky malware is still proving popular with crooks Given a choice between free or state-of-the-art, cybercriminals know which they prefer.

A suspected nation state-sponsored hacking group attempted to infiltrate US utility firms in July, researchers say. 

On Thursday, Proofpoint researchers Michael Raggi and Dennis Schwarz said that between July 19 and July 25, spear-phishing emails were sent to three US companies responsible for providing utility services to the public.

The phishing emails impersonated an engineering licensing board, the US National Council of Examiners for Engineering and Surveying, and attempted to elicit panic in recipients by pretending that the victim company had failed an exam. 

This is a common technique used in phishing emails and is found in other examples including fake bank withdrawal emails, tax demands, and student loan complaints. If a target is frightened, they may be more likely to follow a phishing email's instructions without thinking things through.

CNET: Snowden says Facebook is spying on you and wants to help fight back

Contained within the message was a Microsoft Word document, named Result Notice.doc, which used embedded macros to spring malicious code onto a recipient system. 

The emails originated from an IP address which led to the discovery of additional domains used to impersonate other engineering and electric licensing agencies in the United States. However, only the original domain, nceess[.]com, appears to be active in current phishing campaigns. 

screenshot-2019-08-02-at-09-04-17.png

If a victim opens the file and enables VBA macros, three Privacy Enhanced Mail (PEM) files are dropped; tempgup.txt, tempgup2.txt, and tempsodom.txt. These files are then decoded and transformed into Notepad-impersonating GUP.exe, libcurl.dll -- a malicious loader -- and  sodom.txt, a file which contains command-and-control (C2) configuration settings for the malicious code. 

See also: This new Android ransomware infects you through SMS messages

The malware, dubbed LookBack, is then launched via GUP.exe and libcurl.dll. 

LookBack is a Remote Access Trojan (RAT), written in C++, which is able to view system data, execute shellcode, tamper with, steal, and delete files, take screenshots, kill processes, move and click a mouse without user interaction, force an infected PC to reboot at whim, and remove itself from a machine.

LookBack is also able to create a C2 channel and proxy in order to exfiltrate and send system information to the attacker's server. 

Proofpoint has connected the recent attacks with APT campaigns in 2018 linked to Japanese firms. FireEye researchers said the group -- known as APT10 or Menupass -- attacking media companies appears to be Chinese and has a history of going after targets in Japan. 

If it is the same threat actors, this could demonstrate that APT10 is branching out to include US firms in their hit-list.

TechRepublic: How to build a vulnerability response plan: 6 tips

Firm conclusions that LookBack is the work of a state-sponsored group seeking to disrupt core utilities and services are not possible, as the researchers note that the malware has not been actively associated with any APT previously and "no additional infrastructure or code overlaps were identified to suggest an attribution to a specific adversary."

However, the macros do provide a clue to state-sponsored activity. Many of the connections between the macro and VBA function obfuscation are strikingly similar to the code used in the aforementioned Japanese attacks, despite being rewritten. 

"We believe this may be the work of a state-sponsored APT actor based on overlaps with historical campaigns and macros utilized," Proofpoint says. "The utilization of this distinct delivery methodology coupled with unique LookBack malware highlights the continuing threats posed by sophisticated adversaries to utilities systems and critical infrastructure providers."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0