CYBER: State-sponsored hackers target US utilities in July cyber attack
July 31, 2019
0
CYBER: State-sponsored hackers target US utilities in July cyber attack
By: Iain Fraser
City of London Newsroom
A sustained series of phishing attacks have been targeting U.S. companies specifically, the utilities sector in an effort to infect systems with a new remote access Trojan [RAT] according US Cyber Security company Proofpoint
On Thursday, Proofpoint researchers issued a statement confirming that between July 19 and July 25, "spear-phishing" emails impersonating an engineering licensing board [the US National Council of Examiners for Engineering and Surveying] were sent to three US companies all instrumental in "providing utility services to the public."
The emails all had Word documents attached, that contained malicious macros designed to deploy and execute LookBack, a new RAT that uses a proxy mechanism for command and control communication.
The attacks, Proofpoint says, are likely to be the work of a "state-sponsored threat actor" particularly given the utilised macros and overlaps with previously observed campaigns attributed to Chinese cyber-espionage group APT10. However, LookBack hasn’t been attributed to a specific adversary yet.
The Word document attached to the phishing emails contains a VBA macro that drops three different Privacy Enhanced Mail (PEM) files when executed. A version of certutil.exe is also dropped, to decode the PEM files, after which these files are restored to their proper extensions.
The RAT is written in C++ and relies on a proxy to relay data to the C&C. The malware can enumerate services running on the machine, view process/system/file data, delete files, execute commands, take screenshots, use the mouse, reboot the machine, and remove itself from the infected host.
A version of the legitimate libcurl.dll library, the malware loader contains a modified exported function to extract a resource within the library, decrypt data from it, and load the resulting DLL to execute a malicious function. During the infection phase, the malicious macro installing the malware sets up a Registry Run key to achieve persistence for libcurl.dll.
Although there are clear similarities to the APT10 assaults on Japanese corporations in 2018, “the LookBack malware has not previously been associated with a known APT actor and that no additional infrastructure or code overlaps were identified to suggest an attribution to a specific adversary.