Last month saw a number of utility sector businesses targeted with spear phishing attacks that utilize a new remote access Trojan (RAT) that provides attackers with admin access.
We’ve seen a wave of attacks that appear to be focused on infrastructure-related organizations in the U.S. The recent seemingly coordinated attacks on local governments and municipalities are cause enough for alarm, but this latest string of attacks is downright frightening.
Last month, phishing emails targeting utilities appear to come from the US National Council of Examiners for Engineering and Surveying, utilizing a spoofed domain of NCEESS[dot]com. Using a scam involving exam “results notices”, the emails include a Word doc attachment that uses VBA macros to install a new RAT variant, dubbed LookBack.
LookBack is an impressive piece of code, with extended admin capabilities that allow an attacker to, discover the configuration of the infected endpoint, launch commands, establish a secure channel back to a command & control server, and more.
According to Bleeping Computer, the code used looks similar to attacks in 2018 targeting Japanese corporation. The utility sector attacks are suspected to be state-sponsored, possibly a Chinese espionage group.
Because phishing is the means of entry for these attacks, the good news is strong endpoint protection, DNS scanning can play a role in stopping the attacks before they reach the user’s inbox. Security Awareness Training can help educate users to spot suspicious emails (such as the use of a Word doc as the medium to provide exam results in the example above) and avoid clicking on the attachment in the first place.