An APT campaign targeting US utilities firms with a remote access trojan (RAT) has now hit at least 17 firms, according to a new report from Proofpoint.
The security vendor first spotted phishing emails sent to three utilities providers in late July, although the campaign now appears much wider in scope after the discovery of more in August.
It begins with reconnaissance scanning for SMB over port 445, perhaps to identify targets with vulnerabilities in the protocol that could be exploited later on to help attackers spread laterally.
Then comes the delivery of the phishing email itself, using as a lure an invitation to take an exam run by licensing body Global Energy Certification (GEC), administered by the Energy Research and Intelligence Institution.
Emails include the subject line “Take the exam now” and a malicious Microsoft Word attachment named “take the exam now.doc” alongside a legitimate PDF for exam preparation hosted on the real GEC site. This helps to add legitimacy to the spoofed message.
“The attachments titled ‘take the exam now.doc’ contained VBA macros to install LookBack. The macros were mostly the same as those first observed in July and were similarly obfuscated with concatenation commands that made the macros difficult to detect with static signatures,” explained Proofpoint.
“When a user opens the malicious attachment and enables macros, the VBA macro within the Microsoft Word attachment installs several privacy-enhanced mail (PEM) files on the host. When decoded, we found these to be both malware modules and macro variables.”
The ultimate aim of the macro execution is to download LookBack, a modular RAT designed to find, read and delete files, start and delete services, take screenshots, and even move or click the victim’s mouse.
“The threat actors demonstrate persistence when intrusion attempts have been foiled and appear to have been undeterred by publications describing their toolset,” warned Proofpoint.
Andrea Carcano, co-founder of Nozomi Networks, argued that cyber-criminals will often look to exploit human weaknesses to reach targeted systems.
“Therefore, utility providers need to take the time to teach staff to recognize phishing emails and not to click on links or open attachments from unknown sources,” he said.
“In addition, the implementation of advanced cybersecurity technologies, such as machine learning and artificial intelligence, is a critical step towards safe and reliable critical infrastructure. These technologies provide utilities with the ability to jump start their visibility, situational awareness, and their capacity to detect and mitigate cyber-attacks.”