Spear-phishing assaults infect United States utility sector with RAT

In one recent spear-phishing campaign 3 companies from U.S utility sector became victims when one fresh malware characterized with one RAT (Remote Access Trojan) infected systems wherein attackers were enabled in attaining administrative hold over the devices.

Researchers from security firm Proofpoint posted a blog message stating the e-mails have one malware-laced attachment containing a Microsoft Word file which utilizes macros for planting as also executing malicious program which they've named "LookBack." The program features a RAT which takes screenshots, deletes files, restarts a system, while erases itself from the contaminated devices.

The phishing electronic mails targeted the utilities on two dates: July 19 and July 25. The sender's address had ness.com as its suffix and was under the control of attackers. However, the researchers also found that the e-mails masqueraded as coming from a number of other electrical licensing and engineering entities in USA while were from fake domains. But as just a single domain was employed within the latest spear-phishing assaults, a high probability lurks when more campaigns employing likewise tricks will get launched again later.

Incase the file is opened followed with VBA macros enabled, 3 PEM (Privacy Enhanced Mail) files are installed. These are tempsodom.txt, tempgup2.txt and tempgup.txt. The files are subsequently cracked while converted into GUP.exe that impersonates Notepad; libcurl.dll that's one malevolent installer; and Sodom.txt- name of a file carrying settings of command-and-control (C&C) configurations to instruct the malware. www.zdnet.com posted this, August 2, 2019.

Following above tasks, the malware named LookBack gets introduced through libcurl.dll and GUP.exe files.

According to Proofpoint, the recent assaults have a connection with the 2018 APT attacks that have been associated with Japanese firms. Meanwhile according to FireEye another security company, the group called Menupass alternatively APT10 which launches attack on media firms seems as being Chinese while attacks entities in Japan.

And despite little decisive clues that APT10 carried out the spear-phishing assaults of July 2019, the campaign outlines a growing danger of the United States utility industry facing compromises.

The finding of the spear-phishing campaign underscores critical infrastructures as endangered with a combination of increasingly sophisticated, socially-engineered and newer malware, concludes Proofpoint.

» SPAMfighter News - 8/14/2019