Previous coverage of their tactics, techniques and procedures (TTPs) has failed to deter digital attackers in their efforts to target U.S. utilities with LookBack malware.

Between 21 August and 29 August 2019, Proofpoint observed several spear phishing emails targeting U.S. utilities. Those messages appeared to originate from globalenergycertification[.]net, an attacker-controlled domain designed to impersonate the Global Energy Certification (“GEC”) utilities licensing body. The emails used that disguise to trick recipients into downloading LookBack.

Specifically, the emails purported to be invitations for recipients to take the GEC exam administered by the Energy Research and Intelligence Institution. They used GEC branding and “Take the exam now” as their subject line to lull recipients into a false sense of security so that they would open a Microsoft Word attachment. That document, labeled “take the exam now.doc,” contained VBA macros that downloaded LookBack, malware which enables bad actors to view information stored on an infected host.

A copy of the GEC-themed phishing email. (Source: Proofpoint)

This isn’t the first time that Proofpoint has come across LookBack. In fact, the macros observed in this campaign were mostly the same as those used in another attack wave detected by the security firm back in July. Proofpoint responded to this initial discovery by profiling the campaign’s delivery mechanism, exploitation stage and use of LookBack to prey on three U.S. utility organizations.

But as Proofpoint noted in its latest research, its July analysis failed to deter bad actors from conducting additional malware campaigns:

Newly discovered LookBack campaigns observed within the US utilities sector provides insight into an ongoing APT campaign with custom malware and a very specific targeting profile. The threat actors demonstrate persistence when intrusion attempts have been foiled and appear to have been undeterred by publications describing their toolset…. [A]t the (Read more...)