Between July 19 and July 25, 2019, several spear phishing emails were identified targeting three US companies in the utilities sector. The phishing emails appeared to impersonate a US-based engineering licensing board with emails originating from what appears to be an actor-controlled domain, nceess[.]com. Nceess[.]com is believed to be an impersonation of a domain owned by the US National Council of Examiners for Engineering and Surveying. The emails contain a malicious Microsoft Word attachment that uses macros to install and run malware that Proofpoint researchers have dubbed “LookBack.” This malware consists of a remote access Trojan (RAT) module and a proxy mechanism used for command and control (C&C) communication. We believe this may be the work of a state-sponsored APT actor based on overlaps with historical campaigns and macros utilized. The utilization of this distinct delivery methodology coupled with unique LookBack malware highlights the continuing threats posed by sophisticated adversaries to utilities systems and critical infrastructure providers.
Emails delivered on July 19 and July 25 purported to be a failed examination result from the NCEES (National Council of Examiners for Engineering and Surveying) and fraudulently utilized the NCEES logo. The email sender address and reply-to fields contained the impersonation domain nceess[.]com. Like the phishing domain, the email bodies impersonated member ID numbers and the signature block of a fictitious employee at NCEES. The Microsoft Word document attachment included in the email also invoked the failed examination pretense with the file name “Result Notice.doc.”
Figure 1: NCEES-themed phishing email
All emails originated from the IP address 79.141.168[.]137, which appears to be an actor-controlled IP utilized to host the phishing domain nceess[.]com. An examination of passive DNS and domain registration history for this domain identified additional domains that appeared to be actor registered, which also impersonated engineering and electric licensing bodies in the US. Among these domains, only nceess[.]com was observed in active phishing campaigns targeting utility companies.
The phishing messages were found to contain a Microsoft Word document attachment that uses VBA macros to install LookBack malware. When the attachment is executed, the malicious VBA macro within the Microsoft Word attachment drops three Privacy Enhanced Mail (PEM) files to the host: tempgup.txt, tempgup2.txt, and tempsodom.txt. Additionally, the file Temptcm.tmp, which is a version of certutil.exe, is dropped to decode the PEM files using Temptcm.tmp. The macro next creates a copy of the decoded PEM files restoring their proper file extensions with the Windows essentuti.exe. tempgup.txt becomes GUP.exe, which impersonates the name of an open-source binary used by Notepad++; tempgup2.txt becomes libcurl.dll, a malicious loader DLL file; and tempsodom.txt becomes sodom.txt, which contains command and control configuration data utilized by the malware. Finally, the macro launches GUP.exe and the libcurl.dll loader separately, resulting in the execution of LookBack malware.
LookBack malware is a remote access Trojan written in C++ that relies on a proxy communication tool to relay data from the infected host to a command and control IP. Its capabilities include an enumeration of services; viewing of process, system, and file data; deleting files; executing commands; taking screenshots; moving and clicking the mouse; rebooting the machine and deleting itself from an infected host. The malware consists of the following components:
A command and control proxy tool (referred to as GUP)
A malware loader comprised of a legitimate libcurl.dll file with one export function modified to execute shellcode.
A communications module (referred to as SodomNormal) which creates a C&C channel with the GUP proxy tool.
A remote access Trojan component (referred to as SodomMain), which is delivered following decoding the initial beacon response received via the GUP proxy tool and the SodomNormal local host proxy module.
GUP Proxy Tool
The GUP command and control proxy tool may impersonate the name of a piece of legitimate opensource software available at wingup[.]org, which is used by Notepad++. In historic campaigns by APT adversaries, legitimate GUP.exe versions were utilized that were digitally signed by Notepad++. In this campaign, files appeared to impersonate the GUP.exe file name rather than being a legitimate signed binary. The function of this tool is to set up a TCP listener on a localhost, receive encoded data via requests from the SodomNormal localhost module, and to forward this data to the command and control IP via HTTP. The GUP Proxy Tool has a hardcoded configuration which is included as both strings and integers. The following configuration data was identified from the analyzed sample.
Libcurl.dll Malware Loader
This dynamic link library appears to be a legitimate version of libcurl.dll except for a single exported function, which is referred to as ordinal #52 and curl_share_init in the analyzed sample. This function has been modified by threat actors to extract a resource contained within libcurl.dll, decrypt malicious data included in that resource, and load the resulting DLL to execute a malicious function. When this function is executed, the SodomNormal communications module begins running within Libcurl.dll. In addition to loading the communications module, the initial macro described above configures a persistence mechanism for this malware loader by setting up a Registry Run key. The non-concatenated command included in the macro that establishes persistence for Libcurl.dll and the hash for this sample are included below.
cmd /c reg add HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v CurlUpdate /f /d rundll32.exe C:UsersPubliclibcurl.dll,#52
SodomNormal Communications Module
The SodomNormal Communications module runs within the libcurl.dll loader as a loaded DLL. Its primary function is to communicate data gathered by the SodomMain remote access Trojan module with the GUP Proxy Tool. It attempts to acquire an existing configuration from the file sodom.ini. However, it appears the configuration is dropped in the file sodom.txt instead. If that configuration is not available, it utilizes a hardcoded configuration in the binary. An example of this hardcoded configuration has been included below. The tool uses a custom binary protocol over sockets for its command and control communication with the GUP Proxy Tool and all transferred data is encrypted using a modified version of RC4 encryption. It has limited functionality which includes an initial beacon, an initial beacon response that includes encoded data containing the SodomMain RAT, and a command poll which passes header and decrypted data in an exported function enabling the SodomMain RAT to run. The hash for this sample is included below.
Figure 2: SodomNormal Communications Module hardcoded local host configuration.
SodomMain Remote Access Trojan Module
The SodomMain module is LookBack malware’s remote access Trojan module that can send and receive numerous commands indicative of its function as a RAT. The malware is delivered within the encoded data that is received by the SodomNormal module as part of its initial beacon response. It then runs within the SodomNormal module and uses its “send_data” function for C&C communications. The data is ultimately relayed to the GUP Proxy Tool and the C&C IP.
Noteworthy malware commands include:
Write to files
The hash for this sample is included below.
Notes on Attribution
Analysts identified similarities between the macros utilized in this campaign and historic APT campaigns targeting Japanese corporations in 2018 . Moreover, LookBack utilizes an encoded proxy mechanism for C&C communication that resembles a historic TTP utilized in those campaigns. However, analysts note that the LookBack malware has not previously been associated with a known APT actor and that no additional infrastructure or code overlaps were identified to suggest an attribution to a specific adversary.
In the attachments identified as part of the July 2019 campaigns, threat actors appeared to utilize many concatenation commands within the macro to obfuscate the VBA function. It is possible these concatenations were an attempt to evade static signature detection for the macro strings while maintaining the integrity of the installation mechanism, which had been historically been used to target different sectors and geographies. The below comparison indicates the shared macro content which appears to have been rewritten.