Security experts at Proofpoint uncovered a phishing campaign targeting US companies in the utility sector aimed at infecting systems with a new
“Between July 19 and July 25, 2019, several spear-phishing emails were identified targeting three US companies in the utility sector.” reads the analysis published by Proofpoint.
“The phishing emails appeared to impersonate a US-based engineering licensing board with emails originating from what appears to be an actor-controlled domain, nceess
The phishing attacks took place on July 19 and July 25, threat actors
The experts reported attacks against three separate companies, but likely the same threat actor hit also other organization in the sector.
Experts believe that the attacks were carried out by a nation-state APT group based on overlaps with activities of other state-sponsored groups and macros utilized.
“The macro next creates a copy of the decoded PEM
The malware implements many
Researchers identified the following components in the LookBack RAT:
Experts noticed that Libcurl.dll used by the malware appears to be a legitimate version of libcurl.dll except for the implementation of a single exported function (referred to as ordinal #52 and curl_share_init in the analyzed sample). This function extracts a resource contained within libcurl.dll, decrypts malicious data it contains, and loads the resulting DLL to execute a malicious function.
Once the function is executed, the SodomNormal communications module will run within Libcurl.dll. The malware sets up a Registry Run key to achieve persistence.
The communications module transmits data collected by the RAT to the proxy tool. The backdoor module supports numerous commands, including Get process listing, Kill process, Executes
“The detection of a new malware family delivered using phishing tactics once used by known APT adversaries highlights a continuing global risk from nation-state actors.” concludes the report. “While definitive attribution in this instance requires further study of infrastructure, toolsets, and methodologies, the risk that these campaigns
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.