A malicious Microsoft Word document was sent to three US companies in the utilities sector embedded with command and control execution malware dubbed by Proofpoint researchers as “LookBack”. The emails were sent out between July 19th and July 25th 2019 and were disguised as being sourced from trusted domains. It is believed that the malware may have been created and deployed by a state sponsored Advanced Persistent Threat (APT) actor.
What the Malware Did
The malware used was sophisticated enough to have multiple coded files installed on systems then decoded by a separate installed file. It is believed that this is how it was able to evade security technologies. The files were then renamed to look like common Windows files to include one file that mimicked that of a common Notepad++ file. All of these files resulted in the execution of the LookBack malware.
The LookBack malware functioned primarily as a Remote Access Trojan (RAT) which relied on an embedded proxy communication tool which facilitated command and control capabilities. These capabilities included read/write and execution functionality on the host system. It also allowed the remote attacker to take screenshots of the desktop and control the user’s mouse.
Luckily it does not appear that the malware was successful in subverting any of the utilities we rely on.
Why this Matters
Public utilities are an essential part of our lives. They provide everything from the water we drink to the electricity we use. They are vital to the safety and well-being of our nation. If left unchecked, foreign nation states could prove effective in attacking our basic needs as a society.
Security analysts continue to monitor and review our national infrastructure and utilities. As our adversaries continue to evolve, so should our capabilities in detecting and responding to these kinds of attacks.