[ad_1]
A new malicious espionage program, eventually developed by a nationally attacked attacker, targeted three US utility companies last month, researchers at the security firm Proofpoint said Thursday.
According to a Proofpoint report, employees of the three unnamed companies received emails supposedly from the National Board of Examiners for Engineering and Topography. This non-profit group develops, administers and grades the exams used for licensing US engineers. Use of the official NCEES logo and domain name[.]com, the emails indicated that the recipients had failed to get a positive result on a recent review. The attached Word document was entitled Result Notice.doc.
Proofpoint
Malicious macros embedded in the document attempted to install a malware package with all the features, Proofpoint calling LookBack. The components included a remote access Trojan written in C ++ and a proxy tool for communicating with a command and control server. Once installed, LookBack offers attackers a full range of features, including:
- Get a list of processes
- Kill the process
- Run cmd[.] exe commands
- Get the type of player
- Find files
- Read the files
- Delete files
- Write to files
- Run files
- List services
- Start services
- Delete services
- Take a screenshot of the office
- Move / click mouse and take the elevator
- Exit
- To withdraw
- To close
- restart
Beyond its extensive capabilities, LookBack has been perfected for other reasons. The proxy of the command server could borrow the identity of WinGup, a free source update program used by Notepad ++ to try to hide itself. Another way for WinGup to avoid detection: A dynamic link library seemed to be a legitimate DLL for the libcurl software tool, except for one exported function. Attackers used this feature to extract encrypted data from the DLL to perform communications and establish persistence on the infected computer.
Sherrod DeGrippo, Senior Director of Threat Detection and Research at Proofpoint, said his company was able to block all phishing attempts against the three customers as part of the campaign. The researcher said that it was unclear whether there were other targets or whether any of them was infected.
Proofpoint said the macros found in the Word document were similar to those used during targeted attacks against Japanese companies last year. Specifically: Macros (written in the Visual Basic for Applications language) used a large number of concatenation commands, possibly to try to avoid detection of malicious macros. The macro immediately below is from 2018. The one below was used in last month's attacks.
Proofpoint
According to the FireEye security company, an advanced group of persistent threats based in China led the 2018 attacks against Japanese companies. The threat was called APT10 or Menupbad.
"The macros used in the incident described by Proofpoint are very similar to the macros used by APT10 in 2018," said Sarah Jones, Senior FireEye Analyst, in a statement. "We also agree that the malicious program is actually different from the one previously used in 2018. At the moment, we can not definitively badign it to APT10 or any other named group."
Although the identity of the last campaign is not yet clearly defined, there is no doubt that this represents a significant threat given its target.
"The detection of a new malware family provided with the aid of phishingtactics, formerly used by known opponents of the APT, highlights the overall risk of domestic players," he said. wrote Michael Raggi and Dennis Schwarz, researchers at Proofpoint. "Although the final badignment in this case requires a more in-depth study of the infrastructure, tools and methodologies, the risk that these campaigns present for utility providers is clear." The profile of this campaign is indicative of a specific risk for US utility sector entities. "
The report includes compromise indicators that other utilities may use to determine if they have been targeted or infected.
Source link
