Delaware, USA – September 24, 2019 – Instead of stopping the campaign, the LookBack trojan operators changed the text of the phishing emails and continued to attack organizations in the US Utilities Sector. Proofpoint researchers continued their investigation of LookBack malware attacks and found that there were significantly more attacked companies, and the campaign itself began in early April. Attackers sent phishing emails to utility providers from the US energy sector with a malicious document containing embedded VBA script that downloads and installs the malware. Initially, emails pretended to be notifications from the ‘US National Council of Examiners for Engineering and Surveying’ and contained alerts about failed exams. After the operation was discovered, the attackers registered the domain masqueraded as the legitimate domain for Global Energy Certification and continued to send emails on the same subject. Researchers discovered 17 attacked companies, although their number may be much higher.
An analysis of the campaign shows that these attacks probably were conducted by one of the Chinese APT groups using custom malware and targeting energy companies. Researchers also recorded scans of organizations’ networks, attackers searched for open ports 445. The scans occurred about two weeks before phishing emails were sent. Why the attackers did this is not known exactly, since so far in this campaign no malware that uses the SMB protocol has been spotted. Despite the lack of clues, indirect evidence indicates the involvement of the APT10 group in these attacks. You can study the known APT10 techniques and find content for their detection on Threat Detection Marketplace: https://tdm.socprime.com/att-ck/