Three U.S. firms in the utility sector were hit with a spear phishing campaign in mid-July with the emails containing a malicious Word document that can contain and can install the new remote access trojan LookBack.

The Proofpoint Threat Insight Team’s initial take is the
attack was the work of a nation-state sponsored actor based on the macro used
and comparing it to other previous attacks conducted by such groups.

The social engineering behind the emails, which were sent
between July 19-25 makes it appear as if the correspondence comes from a domain
owned by the U.S. National Council of Examiners for Engineering and Surveying
and includes that organization’s logo. The email itself pretends to contain a
failed examination result from the National Council of Examiners for
Engineering and Surveying, a subject likely to pique someone’s interest and be
opened, Proofpoint said.

“The email sender address and reply-to fields contained the
impersonation domain nceess[.]com. Like the phishing domain, the email bodies
impersonated member ID numbers and the signature block of a fictitious employee
at NCEES. The Microsoft Word document attachment included in the email
also invoked the failed examination pretense with the file name ‘Result
Notice.doc,’” Proofpoint wrote.

Once installed on a machine LookBack, which is written in
C++ is able to conduct several tasks. This includes listing of services;
viewing of process, system, and file data; deleting files; executing
commands; taking screenshots; moving and clicking the mouse; rebooting the
machine and deleting itself from an infected host.