LookBack, TA410

Description

(Proofpoint) Between July 19 and July 25, 2019, several spear phishing emails were identified targeting three US companies in the utilities sector. The phishing emails appeared to impersonate a US-based engineering licensing board with emails originating from what appears to be an actor-controlled domain, nceess[.]com. Nceess[.]com is believed to be an impersonation of a domain owned by the US National Council of Examiners for Engineering and Surveying. The emails contain a malicious Microsoft Word attachment that uses macros to install and run malware that Proofpoint researchers have dubbed “LookBack.” This malware consists of a remote access Trojan (RAT) module and a proxy mechanism used for command and control (C&C) communication.  We believe this may be the work of a state-sponsored APT actor based on overlaps with historical campaigns and macros utilized. The utilization of this distinct delivery methodology coupled with unique LookBack malware highlights the continuing threats posed by sophisticated adversaries to utilities systems and critical infrastructure providers.

Proofpoint found similarities in malware delivery with Stone Panda, APT 10, menuPass, but those may have been false flags.

Names

Name	Name-Giver
LookBack	Proofpoint
TA410	Proofpoint
Witchetty	Symantec
LookingFrog	ESET
FlowingFrog	ESET

Country

• Unknown

Motivation

• Information theft and espionage

First Seen

2019

Observed Sectors

• Energy
• Utilities

Observed Countries

• USA
• Middle East and Africa

Tools

• FlowCloud
• GUP Proxy Tool
• SodomMain
• SodomNormal

Operations

• 2019-07: At the same time as the LookBack campaigns, Proofpoint researchers identified a new, additional malware family named FlowCloud that was also being delivered to U.S. utilities providers. https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
• 2019-08: LookBack Forges Ahead: Continued Targeting of the United States’ Utilities Sector Reveals Additional Adversary TTPs https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals
• 2022-02: Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage

Information

• https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks
• https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/

Other Information

Uuid

0cd75659-1c39-4647-8781-3e65d79f2cd5

Last Card Change

2023-11-29