Delaware, USA – August 5, 2019 – The new malware was used in a spear-phishing campaign targeted at US companies in the utility sector. Proofpoint researchers discovered attacks in late June, all the emails were masked as notifications from the ‘US National Council of Examiners for Engineering and Surveying’ and contained failed examination alerts sent from the domain nceess[.]com. The emails had malicious document ‘Result Notice.doc’ attached which used macros to install LookBack remote access trojan in several stages. This is a new malware that was not previously used in attacks by any threat actor, and the analysis of the code did not reveal any references to the notorious APT groups and their tools, however, the analysis of the macro from the malicious document allows researchers to link this campaign to the activities of Chinese group APT10, which has been extremely active in recent months . Possibly the usage of the loader known from last year’s campaign is associated with the discovery of new tools of the group. LookBack trojan allows adversaries to spy on an infected system, move and click the mouse, execute commands, and delete files. In addition to the trojan, a number of other components get into the system, which are used for covert communications with command-and-control infrastructure.
An analysis of the server from which the phishing emails were sent revealed several more domains impersonating other US engineering and electric licensing bodies. It is not known whether they were used in other attacks of the group or not. Judging by past campaigns, APT10 will continue to attack the US utilities sector using other techniques and malware from the group’s rich arsenal. You can study the known APT10 techniques and find content for their detection on Threat Detection Marketplace: https://tdm.socprime.com/att-ck/