Security experts at Proofpoint uncovered a phishing campaign targeting US companies in the utility sector aimed at infecting systems with a new
“Between July 19 and July 25, 2019, several spear-phishing emails were identified targeting three US companies in the utility sector.” reads the analysis published by Proofpoint.
“The phishing emails appeared to impersonate a US-based engineering licensing board with emails originating from what appears to be an actor-controlled domain, nceess
The phishing attacks took place on July 19 and July 25, threat actors
The experts reported attacks against three separate companies, but likely the same threat actor hit also other organization in the sector.
Experts believe that the attacks were carried out by a nation-state APT group based on overlaps with activities of other state-sponsored groups and macros utilized.
“The macro next creates a copy of the decoded PEM
The malware implements many
Researchers identified the following components in the LookBack RAT:
Experts noticed that Libcurl.dll used by the malware appears to be a legitimate version of libcurl.dll except for the implementation of a single exported function (referred to as ordinal #52 and curl_share_init in the analyzed sample). This function extracts a resource contained within libcurl.dll, decrypts malicious data it contains, and loads the resulting DLL to execute a malicious function.
Once the function is executed, the SodomNormal communications module will run within Libcurl.dll. The malware sets up a Registry Run key to achieve persistence.
The communications module transmits data collected by the RAT to the proxy tool. The backdoor module supports numerous commands, including Get process listing, Kill process, Executes
“The detection of a new malware family delivered using phishing tactics once used by known APT adversaries highlights a continuing global risk from nation-state actors.” concludes the report. “While definitive attribution in this instance requires further study of infrastructure, toolsets, and methodologies, the risk that these campaigns