Suspected State-Sponsored Spear Phishing Campaign Targets U.S. Utilities with New Malware

Cybersecurity firm Proofpoint identified a new spear phishing campaign that targeted three undisclosed U.S. utilities. Based on overlaps with historical campaigns and macros utilized, Proofpoint believes the campaign is state-sponsored. The convincing phishing lures purport to come from the National Council of Examiners for Engineering and Surveying (NCEES), a business that handles professional licensing for engineers and surveyors, indicating the threat actors have a decent amount of industry knowledge. According to Proofpoint, the emails were sent between July 19 and 25, utilized the NCEES logo, and the sender address and reply-to fields featured an impersonated domain, nceess[.]com (designed to look like the NCEES domain but adding an “s” at the end). In typical social engineering fashion, the premise of the email is designed to evoke a sense of urgency by indicating the user failed to achieve a passing exam score. The emails included a malicious Microsoft Word attachment of newly identified malware dubbed LookBack. Analysis of LookBack revealed it is a remote access trojan (RAT) that has capabilities to view process, system and file data; delete files; take screenshots; move and click the infected system’s mouse; reboot machines; and delete itself from an infected host. Perch users subscribed to the WaterISAC Community will be able to detect LookBack within their environments. All members are encouraged to check networks for and report similar activity, especially if dealing with NCEES or similar organizations. Read the article at Threatpost