Suspected Nation-State: During the month of June, several US companies were the target of a spear-phishing campaign. Three utility service companies received emails from attackers pretending to be an engineering license board. Like most emails that are impersonating people, this one was sent with a Microsoft word document embedded with macros that, once opened, downloaded the malware. The document name was Result Notice.doc, which downloaded malware that is known as LookBack. The infection begins by downloading three Privacy Enhance Mail (PEM) files, tempgup.txt, tempgup2.txt, and tempsodom.txt. Once decoded, the files are transformed into Notepad-impersonating GUP.exe, libcurl.dll and Sodom.txt. Libcurl.dll is a malicious loader and Sodom.txt contains the command-and-control (C2) configuration settings. LookBack is then launched via GUP.exe and libcurl.dll. LookBack is a remote access trojan that is able to view system data, tamper with, steal and delete files, execute shellcode, kill processes, move and click the mouse, force an infected PC to reboot, take screenshots and remove itself from the infected machine. The malware also creates a C2 channel and proxy in order to exfiltrate and send system details to the attacker.
Analyst Notes
The malware is the work of a nation-state attacker, but there is no definitive information that proves who is behind it. There has been speculation that the Chinees group APT10 was behind these attacks due to a link found in an attack that was carried out against Japanese media. The thought is that the actor has now started to target US entities.
