Suspected state-sponsored hacking group tried to break into US utilities

[SwissMiss]

Suspected state-sponsored hacking group tried to break into US utilities

 

Researchers say the phishing attempts were spotted in July.
 

A suspected nation state-sponsored hacking group attempted to infiltrate US utility firms in July, researchers say.  

 

On Thursday, Proofpoint researchers Michael Raggi and Dennis Schwarz said that between July 19 and July 25, spear-phishing emails were sent to three US companies responsible for providing utility services to the public. 

 

The phishing emails impersonated an engineering licensing board, the US National Council of Examiners for Engineering and Surveying, and attempted to elicit panic in recipients by pretending that the victim company had failed an exam.  

 

This is a common technique used in phishing emails and is found in other examples including fake bank withdrawal emails, tax demands, and student loan complaints. If a target is frightened, they may be more likely to follow a phishing email's instructions without thinking things through.

 

Contained within the message was a Microsoft Word document, named Result Notice.doc, which used embedded macros to spring malicious code onto a recipient system. 

 

The emails originated from an IP address which led to the discovery of additional domains used to impersonate other engineering and electric licensing agencies in the United States. However, only the original domain, nceess[.]com, appears to be active in current phishing campaigns. 

 

 

 

 

If a victim opens the file and enables VBA macros, three Privacy Enhanced Mail (PEM) files are dropped; tempgup.txt, tempgup2.txt, and tempsodom.txt. These files are then decoded and transformed into Notepad-impersonating GUP.exe, libcurl.dll -- a malicious loader -- and  sodom.txt, a file which contains command-and-control (C2) configuration settings for the malicious code. 

 

The malware, dubbed LookBack, is then launched via GUP.exe and libcurl.dll. 

 

LookBack is a Remote Access Trojan (RAT), written in C++, which is able to view system data, execute shellcode, tamper with, steal, and delete files, take screenshots, kill processes, move and click a mouse without user interaction, force an infected PC to reboot at whim, and remove itself from a machine.

 

LookBack is also able to create a C2 channel and proxy in order to exfiltrate and send system information to the attacker's server. 

 

Proofpoint has connected the recent attacks with APT campaigns in 2018 linked to Japanese firms. FireEye researchers said the group -- known as APT10 or Menupass -- attacking media companies appears to be Chinese and has a history of going after targets in Japan. 

 

If it is the same threat actors, this could demonstrate that APT10 is branching out to include US firms in their hit-list.

 

Firm conclusions that LookBack is the work of a state-sponsored group seeking to disrupt core utilities and services are not possible, as the researchers note that the malware has not been actively associated with any APT previously and "no additional infrastructure or code overlaps were identified to suggest an attribution to a specific adversary."

 

However, the macros do provide a clue to state-sponsored activity. Many of the connections between the macro and VBA function obfuscation are strikingly similar to the code used in the aforementioned Japanese attacks, despite being rewritten. 

 

"We believe this may be the work of a state-sponsored APT actor based on overlaps with historical campaigns and macros utilized," Proofpoint says. "The utilization of this distinct delivery methodology coupled with unique LookBack malware highlights the continuing threats posed by sophisticated adversaries to utilities systems and critical infrastructure providers."

 

 

Source: Suspected state-sponsored hacking group tried to break into US utilities

[SwissMiss]

New advanced malware, possibly nation sponsored, is targeting US utilities

Dear Engineer. You failed your licensing exam. Open this document to learn more.

Maëlick / Flickr

 

A new piece of advanced espionage malware, possibly developed by a nation-supported attacker, targeted three US companies in the utilities industry last month, researchers from security firm Proofpoint reported on Thursday.

 

Employees of the three unnamed companies, Proofpoint reported, received emails purporting to come from the National Council of Examiners for Engineering and Surveying. This non-profit group develops, administers, and scores examinations used in granting licenses for US engineers. Using the official NCEES logo and the domain nceess[.]com, the emails said that the recipients failed to achieve a passing score on a recent exam. The attached Word document was titled Result Notice.doc.

 

Proofpoint

 

Malicious macros embedded into the document attempted to install a package of full-featured malware Proofpoint calling LookBack. Components included a remote-access trojan written in C++ and a proxy tool for communicating with a command-and-control server. Once LookBack was installed, it gave attackers a full range of capabilities that include:

• Get process listing
• Kill process
• Execute cmd[.] exe commands
• Get drive type
• Find files
• Read files
• Delete files
• Write to files
• Execute files
• Enumerate services
• Start services
• Delete services
• Take a screenshot of the desktop
• Move/Click Mouse and take a screenshot
• Exit
• Remove self
• Shutdown
• Reboot

Beyond its wide-ranging capabilities, LookBack was advanced for other reasons. The command server proxy could impersonate WinGup, an open source updater that's used by Notepad++ in an attempt to camouflage itself. Another way LookBack avoided detection: a dynamic link library appeared to be a legitimate DLL file for the software tool libcurl except for a single exported function. The attackers used the function to extract encrypted data in the DLL to carry out communications and establish persistence on the infected computer.

 

Sherrod DeGrippo, Proofpoint's senior director of threat research and detection, said his company was able to block all phishing attempts used against the three customers in this campaign. The researcher said it's not clear if there were other targets or if any of them were infected.

 

Proofpoint said that the macros found in the Word document are similar to ones used in targeted attacks against Japanese businesses last year. Specifically: the macros, written in the Visual Basic for Applications language, used a large number of concatenation commands, possibly in an attempt to evade detection of the malicious macros. The macro pictured immediately below is from 2018. The one below that was used in the attacks from last month.

 

Proofpoint

 

According to security firm FireEye, an advanced persistent threat group operating out of China, called APT10 or Menupass, carried out the 2018 attacks against Japanese businesses.

 

"The macros used in the incident described by Proofpoint are highly similar to the macros used by APT10 in 2018," FireEye Principal Analyst Sarah Jones said in an emailed statement."We also concur that the malware is, in fact, different than what was used previously in 2018. At this time, we cannot definitively attribute this to APT10 or any other named group."

 

While it's still not clear precisely who is behind the recent campaign, there's little doubt it poses a significant threat given its target.

 

"The detection of a new malware family delivered using phishing tactics once used by known APT adversaries highlights a continuing global risk from nation-state actors," Proofpoint researchers Michael Raggi and Dennis Schwarz wrote. "While definitive attribution in this instance requires further study of infrastructure, toolsets, and methodologies, the risk that these campaigns pose to utilities providers is clear. The profile of this campaign is indicative of specific risk to US-based entities in the utilities sector."

 

The report includes indicators of compromise that other utilities can use to help determine if they have been targeted or infected.

 

 

Source: New advanced malware, possibly nation sponsored, is targeting US utilities (Ars Technica)