Threat Watch

LookBack Malware Targeting US Utility Firms

A spearfishing campaign that was first uncovered in July of 2019 is targeting utility firms and spreading the LookBack malware that has the capabilities to view system data and reboot machines. Originally only three firms were targeted, but evolving tactics have extended its reach to over 20 firms. The campaign uses new TTP (Ttactics, Techniques, and Procedures) which includes macros that have evolved to bypass detection. Spearphishing emails are LookBacks’ primary mode of infection. The malicious emails impersonate a licensing body related to the utility sector. The emails even use a legitimate logo to add authenticity. The emails claim to be an online examination program with the subject line, “Take the exam now” as well as a malicious Word document attached named, “take the exam now.doc.” Unlike previous campaigns, the attackers added a new trick by including a legitimate PDF file for the certification study guide, which could trick users into thinking the Word document is safe to open. The malicious Word file contains VBA macros that lead to the installation of LookBack. LookBack is written in C++ that relies on a proxy communication tool to relay information from the victim’s system to the Command and Control (C2) server. While the attackers appear to be evolving their TTPs, they have not deterred from their targeting of critical infrastructure in the United States.


Organizations should ensure that they have proper anti-virus and anti-malware programs in place and are kept updated. Users should be extremely wary of any unsolicited emails that they receive. Organizations should provide routine education for their employees to better assist them in recognizing malicious emails.