{ "id": "e7945aa2-e541-43a8-b79e-92337f313fc4", "created_at": "2026-04-06T00:21:24.306097Z", "updated_at": "2026-04-10T03:33:45.682002Z", "deleted_at": null, "sha1_hash": "4674e50e02b1c463b0d71666a153decb755eb15e", "title": "LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards US | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 397935, "plain_text": "LookBack Malware Targets the United States Utilities Sector with\r\nPhishing Attacks Impersonating Engineering Licensing Boards US |\r\nProofpoint US\r\nBy Michael Raggi and Dennis Schwarz with the Proofpoint Threat Insight Team\r\nPublished: 2019-08-01 · Archived: 2026-04-02 11:56:18 UTC\r\nOverview \r\nBetween July 19 and July 25, 2019, several spear phishing emails were identified targeting three US companies in the\r\nutilities sector. The phishing emails appeared to impersonate a US-based engineering licensing board with emails originating\r\nfrom what appears to be an actor-controlled domain, nceess[.]com. Nceess[.]com is believed to be an impersonation of a\r\ndomain owned by the US National Council of Examiners for Engineering and Surveying. The emails contain a malicious\r\nMicrosoft Word attachment that uses macros to install and run malware that Proofpoint researchers have dubbed\r\n“LookBack.” This malware consists of a remote access Trojan (RAT) module and a proxy mechanism used for command\r\nand control (C\u0026C) communication.  We believe this may be the work of a state-sponsored APT actor based on overlaps with\r\nhistorical campaigns and macros utilized. The utilization of this distinct delivery methodology coupled with\r\nunique LookBack malware highlights the continuing threats posed by sophisticated adversaries to utilities systems and\r\ncritical infrastructure providers. \r\n   Delivery  \r\nEmails delivered on July 19 and July 25 purported to be a failed examination result from the NCEES (National Council of\r\nExaminers for Engineering and Surveying) and fraudulently utilized the NCEES logo. The email sender address and reply-to\r\nfields contained the impersonation domain nceess[.]com. Like the phishing domain, the email bodies impersonated member\r\nID numbers and the signature block of a fictitious employee at NCEES. The Microsoft Word document attachment included\r\nin the email also invoked the failed examination pretense with the file name “Result Notice.doc.”   \r\nhttps://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks\r\nPage 1 of 7\n\nFigure 1: NCEES-themed phishing email  \r\nAll emails originated from the IP address 79.141.168[.]137, which appears to be an actor-controlled IP utilized to host the\r\nphishing domain nceess[.]com. An examination of passive DNS and domain registration history for this domain identified\r\nadditional domains that appeared to be actor registered, which also impersonated engineering and electric licensing bodies in\r\nthe US. Among these domains, only nceess[.]com was observed in active phishing campaigns targeting utility companies.   \r\nExploitation  \r\nThe phishing messages were found to contain a Microsoft Word document attachment that uses VBA macros to\r\ninstall LookBack malware. When the attachment is executed, the malicious VBA macro within the Microsoft Word\r\nattachment drops three Privacy Enhanced Mail (PEM) files to the host: tempgup.txt, tempgup2.txt, and tempsodom.txt.\r\nAdditionally, the file Temptcm.tmp, which is a version of certutil.exe, is dropped to decode the PEM files\r\nusing Temptcm.tmp. The macro next creates a copy of the decoded PEM files restoring their proper file extensions with the\r\nWindows essentuti.exe. tempgup.txt becomes GUP.exe, which impersonates the name of an open-source binary used by\r\nNotepad++; tempgup2.txt becomes libcurl.dll, a malicious loader DLL file; and tempsodom.txt becomes sodom.txt, which\r\ncontains command and control configuration data utilized by the malware. Finally, the macro launches GUP.exe and the\r\nlibcurl.dll loader separately, resulting in the execution of LookBack malware.   \r\nLookBack Malware  \r\nLookBack malware is a remote access Trojan written in C++ that relies on a proxy communication tool to relay data from the\r\ninfected host to a command and control IP. Its capabilities include an enumeration of services; viewing of process, system,\r\nhttps://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks\r\nPage 2 of 7\n\nand file data; deleting files; executing commands; taking screenshots; moving and clicking the mouse; rebooting the\r\nmachine and deleting itself from an infected host. The malware consists of the following components:  \r\nA command and control proxy tool (referred to as GUP)  \r\nA malware loader comprised of a legitimate libcurl.dll file with one export function modified to execute shellcode.  \r\nA communications module (referred to as SodomNormal) which creates a C\u0026C channel with the GUP proxy tool.  \r\nA remote access Trojan component (referred to as SodomMain), which is delivered following decoding the initial\r\nbeacon response received via the GUP proxy tool and the SodomNormal local host proxy module.  \r\nGUP Proxy Tool  \r\nThe GUP command and control proxy tool may impersonate the name of a piece of legitimate opensource software available\r\nat wingup[.]org, which is used by Notepad++. In historic campaigns by APT adversaries, legitimate GUP.exe versions were\r\nutilized that were digitally signed by Notepad++. In this campaign, files appeared to impersonate the GUP.exe file name\r\nrather than being a legitimate signed binary. The function of this tool is to set up a TCP listener on a localhost, receive\r\nencoded data via requests from the SodomNormal localhost module, and to forward this data to the command and control IP\r\nvia HTTP. The GUP Proxy Tool has a hardcoded configuration which is included as both strings and integers. The following\r\nconfiguration data was identified from the analyzed sample. \r\nGUP[.] exe|368ae77c829c29db2c3e719ce423104db86165422391403ad0483944aa287c20  \r\nListener address: 127.0.0.1  \r\nListener port: 9090  \r\nC\u0026C host: 103.253.41[.]45  \r\nC\u0026C URL format: http://%s/status[.]gif?r=%d  \r\nObserved URL: http://103.253.41[.]45/status.gif?r=1564065990  \r\nLibcurl.dll Malware Loader   \r\nThis dynamic link library appears to be a legitimate version of libcurl.dll except for a single exported function, which is\r\nreferred to as ordinal #52 and curl_share_init in the analyzed sample. This function has been modified by threat actors to\r\nextract a resource contained within libcurl.dll, decrypt malicious data included in that resource, and load the resulting DLL\r\nto execute a malicious function. When this function is executed, the SodomNormal communications module begins running\r\nwithin Libcurl.dll. In addition to loading the communications module, the initial macro described above configures a\r\npersistence mechanism for this malware loader by setting up a Registry Run key. The non-concatenated command included\r\nin the macro that establishes persistence for Libcurl.dll and the hash for this sample are included below.  \r\ncmd /c reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v CurlUpdate /f /d rundll32.exe\r\nC:\\Users\\Public\\libcurl.dll,#52  \r\nLibcurl.dll| cf57eb331b09cb2bc8992ea253d301161f1fa38583cba0733ea6dc2da2bdf740  \r\nSodomNormal Communications Module   \r\nThe SodomNormal Communications module runs within the libcurl.dll loader as a loaded DLL. Its primary function is to\r\ncommunicate data gathered by the SodomMain remote access Trojan module with the GUP Proxy Tool. It attempts to\r\nhttps://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks\r\nPage 3 of 7\n\nacquire an existing configuration from the file sodom.ini. However, it appears the configuration is dropped in the file\r\nsodom.txt instead. If that configuration is not available, it utilizes a hardcoded configuration in the binary. An example of\r\nthis hardcoded configuration has been included below. The tool uses a custom binary protocol over sockets for its command\r\nand control communication with the GUP Proxy Tool and all transferred data is encrypted using a modified version of RC4\r\nencryption. It has limited functionality which includes an initial beacon, an initial beacon response that includes encoded\r\ndata containing the SodomMain RAT, and a command poll which passes header and decrypted data in an exported function\r\nenabling the SodomMain RAT to run. The hash for this sample is included below.   \r\nSodomNormal[.]bin|360057ef2c4c14e263bbe2fc2df9ed4790bd8ed66256c827f1af349da31d47be  \r\n  \r\nFigure 2: SodomNormal Communications Module hardcoded local host configuration.  \r\nSodomMain Remote Access Trojan Module  \r\nThe SodomMain module is LookBack malware’s remote access Trojan module that can send and receive numerous\r\ncommands indicative of its function as a RAT. The malware is delivered within the encoded data that is received by\r\nthe SodomNormal module as part of its initial beacon response. It then runs within the SodomNormal module and uses\r\nits “send_data” function for C\u0026C communications. The data is ultimately relayed to the GUP Proxy Tool and the C\u0026C IP. \r\nNoteworthy malware commands include:  \r\nGet process listing  \r\nKill process  \r\nExecutes cmd[.] exe command  \r\nGets drive type  \r\nFind files  \r\nRead files  \r\nDelete files  \r\nWrite to files  \r\nExecute files  \r\nEnumerate services  \r\nStarts services  \r\nDelete services  \r\nhttps://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks\r\nPage 4 of 7\n\nTakes a screenshot of desktop  \r\nMove/Click Mouse and take a screenshot   \r\nExit  \r\nRemoves self (libcurl[.] dll)   \r\nShutdown  \r\nReboot    \r\nThe hash for this sample is included below. \r\nSodomMain[.] dll| f8fae5b912ca61068a2be64e51273e90a10ebf7ffbd7feaf9a29475387f99a6d  \r\nNotes on Attribution  \r\nAnalysts identified similarities between the macros utilized in this campaign and historic APT campaigns targeting Japanese\r\ncorporations in 2018 [1]. Moreover, LookBack utilizes an encoded proxy mechanism for C\u0026C communication that\r\nresembles a historic TTP utilized in those campaigns. However, analysts note that the LookBack malware has not previously\r\nbeen associated with a known APT actor and that no additional infrastructure or code overlaps were identified to suggest an\r\nattribution to a specific adversary.  \r\nIn the attachments identified as part of the July 2019 campaigns, threat actors appeared to utilize many concatenation\r\ncommands within the macro to obfuscate the VBA function. It is possible these concatenations were an attempt to evade\r\nstatic signature detection for the macro strings while maintaining the integrity of the installation mechanism, which had been\r\nhistorically been used to target different sectors and geographies. The below comparison indicates the shared macro content\r\nwhich appears to have been rewritten.   \r\n  \r\nFigure 3: Macro utilized in July 2018 campaigns targeting Japanese corporations  \r\n     \r\nhttps://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks\r\nPage 5 of 7\n\nFigure 4: Macro utilized in July 2019 campaigns targeting US utilities sector  \r\nConclusion  \r\nThe detection of a new malware family delivered using phishing tactics once used by known APT adversaries highlights a\r\ncontinuing global risk from nation-state actors. While definitive attribution in this instance requires further study of\r\ninfrastructure, toolsets, and methodologies, the risk that these campaigns pose to utilities providers is clear. The profile of\r\nthis campaign is indicative of specific risk to US-based entities in the utilities sector. Phishing emails leveraged the\r\nknowledge of the licensing bodies utilized within the utilities sector for social engineering purposes that communicated\r\nurgency and relevance to their targets. Persistent targeting of any entity that provides critical infrastructure should be\r\nconsidered an acute risk with a potential impact beyond the immediate targets. Since so many other individuals and sectors\r\nrely on these services to remain operational safeguarding them is paramount.  Analysts continue to monitor key entities in\r\nthe utilities sector to identify and prevent these and similar attacks in the hopes of preventing any intended impact to critical\r\ninfrastructure. \r\nReferences  \r\n[1]https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html  \r\nIndicators of Compromise (IOCs)  \r\nIOC  \r\nIOC\r\nType  \r\nDescription  \r\na2d41af0b4f8f0fd950fd4ac164cb2c836fd3c679688b4db75e85ffabfc20d94   SHA256  \r\nMicrosoft Word\r\nAttachment - result\r\nnotice.doc  \r\n3a03509d1036f4ccf4bd4cb28717287791bf5e90f94b6edd4bffe40a66a4b237   SHA256  \r\nMicrosoft Word\r\nAttachment - result\r\nnotice.doc  \r\nf8fae5b912ca61068a2be64e51273e90a10ebf7ffbd7feaf9a29475387f99a6d   SHA256   \r\nLookBack RAT Module -\r\n SodomMain.dll  \r\n360057ef2c4c14e263bbe2fc2df9ed4790bd8ed66256c827f1af349da31d47be   SHA256  \r\nLookBack Communications\r\nModule -\r\n SodomNormal.bin  \r\ncf57eb331b09cb2bc8992ea253d301161f1fa38583cba0733ea6dc2da2bdf740   SHA256  \r\nLookBack Malware Loader\r\n– Libcurl.dll  \r\nhttps://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks\r\nPage 6 of 7\n\n368ae77c829c29db2c3e719ce423104db86165422391403ad0483944aa287c20   SHA256  \r\nLookBack Malware GUP\r\nProxy Tool – GUP.exe   \r\n103.253.41[.]45   IP   Command and Control IP  \r\n79.141.168[.]137   IP   xOriginating IP  \r\nnceess[.]com   Domain   Phishing Domain  \r\nET and ETPRO Suricata/SNORT Signatures \r\n2837783 ETPRO TROJAN Win32/LookBack CnC Activity \r\nSource: https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks\r\nhttps://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "MITRE", "Malpedia", "ETDA" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks" ], "report_names": [ "lookback-malware-targets-united-states-utilities-sector-phishing-attacks" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434884, "ts_updated_at": 1775792025, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4674e50e02b1c463b0d71666a153decb755eb15e.pdf", "text": "https://archive.orkl.eu/4674e50e02b1c463b0d71666a153decb755eb15e.txt", "img": "https://archive.orkl.eu/4674e50e02b1c463b0d71666a153decb755eb15e.jpg" } }