Three US entities in the public services sector were targeted by a phishing campaign that used new malware that featured a Trojan Remote Access Module (RAT) with the aim of giving attackers administrative control of infected systems.
A new malware called LookBack was discovered by Proofpoint Thight Insight Team researchers after analyzing phishing attacks and their malicious charges.
In a blog post detailing their discovery, the researchers explained how phishing emails posed as a board of engineering licenses based in the US. as legitimate emails, saying:
“Phishing emails seemed to supplant a board of engineering licenses based in the US. UU. with emails coming from what appears to be a domain controlled by actors, nceess [.] com. It is believed that Nceess [.] com is an impersonation of a domain owned by the US National Council of Engineering and Surveying Examiners. UU. Emails contain a malicious Microsoft Word attachment that uses macros to install and run malware that Proofpoint researchers have called "LookBack."
Phishing emails, which the utilities received on July 19 and July 25, were all sent from ncess.com, which the attackers controlled, but Proofpoint also discovered that they were supplanting others US electrical engineering and licensing agencies UU. with fraudulent domains. Since only one of the domains was used in these recent spear phishing attacks, there is a high probability that other campaigns that use similar tactics will launch in the future.
The malware removed by the phishing campaign is a remote access Trojan developed in C ++ that would allow attackers to take full control of compromised machines once they were infected.
According to Proofpoint, the LookBack remote access Trojan would help attackers enumerate services, display processes, system and file data, delete files and execute commands, take screenshots, move and click with the mouse and even It could restart the machine and be removed from an infected host.
LookBack malware also contained multiple components, including a proxy command and control tool called a GUP, a malware loader, a communications module and a Trojan remote access component.
Proofpoint also noted that the phishing attack launched against the US company ies may be the work of a state-sponsored advanced persistent threat actor (APT) due to overlays with other historical and macro campaigns used.
Via Bleeping Computer