New messages with compressed attachment, which contains a .doc file. This, if opened, contacts a link from an internal list that downloads the malware from the Epoch 2 botnet.
Proofpoint: The LookBack spear phishing campaign that aims to infect US utility companies is evolving. Threat actor relies on updated versions of the hacking tools previously used. At least there have been hit at least 17 companies
The LookBack spear phishing campaign that aims to infect US utility companies is evolving. It has been unveiled by Proofpoint cyber security experts, who updated their analysis on the malware attacks. This was first spotted in July of this year, when three firms were targeted with malicious phishing messages distributing a new kind of remote access trojan (RAT): LookBack. As it turns out, the attackers launched another campaign of this kind in late August. This relied on updated versions of the hacking tools used in previous attacks. To date, at least 17 utility companies have been targeted between April and August 2019. Moreover, the threat actors demonstrate persistence when intrusion attempts have been foiled and appear to have been undeterred by publications describing their toolset.
The cyber security experts: The spear phishing campaign may be the work of a state-sponsored APT actor. Moreover, before spread the malware, the APT conducted reconnaissance scanning against future targets
According to the cyber security researchers, the LookBack campaign may be the work of a state-sponsored APT actor, based on overlaps with historical campaigns and macros utilized. The malware is a sophisticated RAT that can enable threat actors to view processes and data on infected systems, and can even delete files, take screenshots, operate the mouse, reboot the infected host and delete itself. Moreover, the aggressors, prior to the initiation of the phishing campaigns, conducted reconnaissance scanning against future targets utilizing a staging IP. This is a newly identified TTP. Scanning activity targets US SMB over IP via port 445 up to two weeks prior to the arrival of phishing emails. Observed scanning IPs in some instances have also hosted phishing domains prior to their use in phishing campaigns.