A series of spear-phishing attacks targeting three US companies in the utility sector has been discovered recently. The attacks occurred between July 19 and July 25, 2019.
What happened?
Discovered by researchers at Proofpoint, the attackers behind the campaign leveraged phishing emails that purported to be from a US-based engineering licensing board. To make it less suspicious, they used domains like nceess[.]com and Nceess[.]com similar to that owned by the US National Council of Examiners for Engineering and Surveying. It also used the logo of NCEES to make it look more real.
These phishing emails contained a Word attachment which included malicious macros. Once the Word attachment is opened, it would download macros to install and run a malware dubbed ‘LookBack.’
What did the phishing email contain?
The emails were sent as a notification regarding the examination results from NCEES.
“The email sender address and reply-to fields contained the impersonation domain nceess[.]com. Like the phishing domain, the email bodies impersonated member ID numbers and the signature block of a fictitious employee at NCEES. The Microsoft Word document attachment included in the email also invoked the failed examination pretense with the file name “Result Notice.doc,” said the researchers.
Researchers noted that all emails originated from the IP addresses 79.141.168[.]137.
About LookBack malware
LookBack malware is a remote access trojan written in C++. It relies on a communication tool to relay data from the infected host to a C2 server. Its capabilities include:
The bottom line
Researcher highlight that discovery of a new malware family and its use in phishing tactics poses a global risk from organizations worldwide. Thus, firms should be more vigilant and implement additional security layers to protect their utilities and infrastructure.
Publisher