Suspected Nation-State: During the month of June, several US companies were the target of a spear-phishing campaign. Three utility service companies received emails from attackers pretending to be an engineering license board. Like most emails that are impersonating people, this one was sent with a Microsoft word document embedded with macros that, once opened, downloaded the malware. The document name was Result Notice.doc, which downloaded malware that is known as LookBack. The infection begins by downloading three Privacy Enhance Mail (PEM) files, tempgup.txt, tempgup2.txt, and tempsodom.txt. Once decoded, the files are transformed into Notepad-impersonating GUP.exe, libcurl.dll and Sodom.txt. Libcurl.dll is a malicious loader and Sodom.txt contains the command-and-control (C2) configuration settings. LookBack is then launched via GUP.exe and libcurl.dll. LookBack is a remote access trojan that is able to view system data, tamper with, steal and delete files, execute shellcode, kill processes, move and click the mouse, force an infected PC to reboot, take screenshots and remove itself from the infected machine. The malware also creates a C2 channel and proxy in order to exfiltrate and send system details to the attacker.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is