Researchers Proofpoint Michael Raggi and Dennis Schwarz reported the existence of a team from hackers, which attempted to infiltrate U.S. utilities in July. So last Thursday, researchers said that between July 19 and 25, phishing emails were sent to three companies responsible for providing utilities.
Phishing emails were supposedly from a licensing engineer council, US National Council of Examiners for Engineering and Surveying, informing recipients that they failed exams. This is a common technique of phishing attacks and has been observed in fake student loan claims or tax claims, etc. The result? If the recipient trusts their sender emails, will follow the instructions given to him and will allow his system to become infected.
These phishing emails contained a Word document titled Result Notice.doc. This introduced malicious code on system of the recipient. If a victim opens it file and enable VBA macros, enter three Privacy Enhanced Mail (PEM) files. Tempgup.txt, tempgup2.txt and tempsodom.txt. These are decoded and converted into a notebook in the form of GUP.exe, libcurl.dll - a malicious loader and sodom.txt, a file containing command and control (C2) configurations for code. This is how malware LookBack.
LookBack is a Trojan, written in C ++, capable of viewing system data, executing code, breaking, stealing and deleting files, taking screenshots, moving and clicking with the mouse without user etc. LookBack is also able to create a C2 channel and a proxy server (proxyto retrieve and send system information to server the attacker.
Proofpoint has linked these phishing attacks to 2018's APT campaigns. They were affiliated with Japanese companies. Her researchers FireEye they said that the well-known APT10 or Menupass attacking media companies seems to be Chinese and used to follow the example of Japan. If they are the same hackers, that could mean that APT 10 is now in the US.