New advanced malware, possibly nation sponsored, is targeting US utilities

Posted on Aug 4, 2019

New advanced malware, possibly nation sponsored, is targeting US utilities

A new piece of advanced espionage malware, possibly developed by a nation-supported attacker, targeted three US companies in the utilities industry last month, researchers from security firm Proofpoint reported on Thursday. Employees of the three unnamed companies, Proofpoint reported, received emails purporting to come from the National Council of Examiners for Engineering and Surveying. This non-profit group develops, administers, and scores examinations used in granting licenses for US engineers.

Using the official NCEES logo and the domain nceess[.]com, the emails said that the recipients failed to achieve a passing score on a recent exam. The attached Word document was titled Result Notice.doc. Malicious macros embedded into the document attempted to install a package of full-featured malware Proofpoint calling LookBack.

Components included a remote-access trojan written in C++ and a proxy tool for communicating with a command-and-control server. Once LookBack was installed, it gave attackers a full range of capabilities that include: Beyond its wide-ranging capabilities, LookBack was advanced for other reasons. The command server proxy could impersonate WinGup, an open source updater that’s used by Notepad++ in an attempt to camouflage itself.

Another way LookBack avoided detection: a dynamic link library appeared to be a legitimate DLL file for the software tool libcurl except for a single exported function. The attackers used the function to extract encrypted data in the DLL to carry out communications and establish persistence on the infected computer.