{ "id": "e16d69bc-70ca-4929-b6b4-1c55f4f64082", "created_at": "2026-04-06T00:13:00.120392Z", "updated_at": "2026-04-10T03:24:44.517093Z", "deleted_at": null, "sha1_hash": "650651b5709506938f58d9f016c40bf71e37acc6", "title": "LookBack Forges Ahead: Continued Targeting of the United States’ Utilities Sector Reveals Additional Adversary TTPs | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 527569, "plain_text": "LookBack Forges Ahead: Continued Targeting of the United\r\nStates’ Utilities Sector Reveals Additional Adversary TTPs |\r\nProofpoint US\r\nBy September 23, 2019 Michael Raggi and the Proofpoint Threat Insight Team\r\nPublished: 2019-09-22 · Archived: 2026-04-02 10:56:27 UTC\r\nOverview\r\nEarly in August, Proofpoint described what appeared to be state-sponsored activity targeting the US utilities sector\r\nwith malware that we dubbed “Lookback” [1]. Between August 21 and August 29, 2019, several spear phishing\r\nemails were identified targeting additional US companies in the utilities sector. The phishing emails originated\r\nfrom what appears to be an actor-controlled domain: globalenergycertification[.]net. This domain, like those used\r\nin previous campaigns, impersonated a licensing body related to the utilities sector. In this case, it masqueraded as\r\nthe legitimate domain for Global Energy Certification (“GEC”). The emails include a GEC examination-themed\r\nbody and a malicious Microsoft Word attachment that uses macros to install and run LookBack.\r\nPhishing tactics, techniques, and procedures (TTPs) observed in these campaigns are consistent with previously\r\nreported activity. Persistent targeting of entities in the utilities sector demonstrates the continuing risk to US\r\norganizations from the actors responsible for LookBack. Proofpoint has identified at least 17 entities in the US\r\nutilities sector targeted by these actors from April 5 through August 29, 2019.\r\nReconnaissance\r\nProofpoint analysts have determined that, prior to the initiation of the phishing campaigns described here, threat\r\nactors conducted reconnaissance scanning against future targets utilizing a staging IP. This is a newly identified\r\nTTP not disclosed in our initial publication regarding LookBack. Scanning activity targets SMB over IP via port\r\n445 up to two weeks prior to the arrival of phishing emails. Observed scanning IPs in some instances have also\r\nhosted phishing domains prior to their use in phishing campaigns.\r\nDelivery\r\nEmails delivered between August 21 and August 29, 2019, purported to be an invitation to take the Global Energy\r\nCertification (“GEC”) exam administered by the Energy Research and Intelligence Institution. The email utilized\r\nthe GEC logo and originated from an email address at the domain globalenergycertification[.]net which spoofs the\r\nlegitimate domain globalenergycertification[.]org. The emails included the subject line “Take the exam now” and\r\na malicious Microsoft Word document attachment named “take the exam now.doc”. This file, like that used in the\r\ninitial LookBack campaigns, contained VBA macros which led to the installation of LookBack. Unlike earlier\r\ncampaigns, actors attached a legitimate and benign PDF file for exam preparation which was also hosted on the\r\nhttps://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals\r\nPage 1 of 8\n\nlegitimate GEC site. It is likely that this represents social engineering efforts by the actors to legitimize the email\r\nto recipients.\r\nFigure 1: GEC-themed phishing email\r\nThe emails originated from the IP address 79.141.169[.]3, which appears to be actor-controlled. An examination of\r\npassive DNS and domain registration history for globalenergycertification[.]net indicated that it was previously\r\nhosted by the IP 103.253.41[.]75. This staging IP previously hosted the domain NCEESS[.]com observed in\r\nhistoric LookBack phishing campaigns.\r\nIP Domain Dates Registered Impersonated Entity\r\n79.141.169[.]3 globalenergycertification[.]net\r\nAugust 1 –\r\nSeptember 19,\r\n2019\r\nGlobal Energy Certification\r\n(“GEC”)\r\n103.253.41[.]75 globalenergycertification[.]net\r\nJune 12 – July 30,\r\n2019\r\nGlobal Energy Certification\r\n(“GEC”)\r\nhttps://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals\r\nPage 2 of 8\n\n79.141.168[.]137 nceess[.]com\r\nJune 24 –\r\nSeptember 19,\r\n2019\r\nNational Council of Examiners\r\nfor Engineering and Surveying\r\n103.253.41[.]75 nceess[.]com\r\nMay 29 – June 19,\r\n2019\r\nNational Council of Examiners\r\nfor Engineering and Surveying\r\nExploitation\r\nThe attachments titled “take the exam now.doc” contained VBA macros to install LookBack. The macros were\r\nmostly the same as those first observed in July and were similarly obfuscated with concatenation commands that\r\nmade the macros difficult to detect with static signatures. When a user opens the malicious attachment and enables\r\nmacros, the VBA macro within the Microsoft Word attachment installs several privacy-enhanced mail (PEM) files\r\non the host.  When decoded, we found these to be both malware modules and macro variables. Tempgup.txt,\r\ntempgup2.txt, and tempsodom.txt are LookBack modules. Additionally, the file Temptcm.tmp, which is a version\r\nof certutil.exe, is dropped concurrently and will be used to decode the initial files. The macro then decodes the\r\nPEM files using Temptcm.tmp. The macro next creates a copy of the decoded PEM files restoring their proper file\r\nextensions with the Windows essentuti.exe:\r\nTempgup.txt becomes GUP.exe, the GUP Proxy tool.\r\nTempgup2.txt becomes libcurl.dll, a malicious loader.\r\nTempsodom.txt becomes sodom.txt, which contains command and control configuration data utilized by\r\nthe SodomNormal module.\r\nThese TTPs are consistent with the initial LookBack phishing campaigns observed in July.\r\nWe observed an update in the macros used in the August campaigns which differed from earlier versions. The July\r\nversion of the macro creates macro variables by saving PEM .txt files to the host after they are compiled from text\r\nblobs contained within the Microsoft Word attachment macro. These files (pense1.txt, pense2.txt, and pense3.txt)\r\ncontain macro variables that are referred to when the Word document is opened and macros are enabled:\r\nPense1.txt contains variables specific to the creation of the GUP proxy tool\r\nPense2.txt pertains to the libcurl.dll downloader\r\nPense3.txt appears to be run alongside pense2.txt.\r\nIn the newly observed macros identified in August 2019 campaigns, the three pense[*].txt macro variables are\r\nreplaced with 9 variable files in total. Pense1.txt and pense2.txt appear to remain constant. However, pense3.txt is\r\nreplaced with seven additional PEM files that are each run alongside Pense2.txt individually. The ultimate result\r\nof this macro execution appears to be the installation of LookBack malware modules described above and first\r\nobserved in July campaigns. However, the method by which this is achieved has been altered in more recent\r\nmacros. Analysts have not determined the reason for altering this macro but speculate that by increasing the\r\nhttps://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals\r\nPage 3 of 8\n\nnumber of variable files and maintaining the core functionality of the macro, actors are attempting to further\r\nobfuscate this installation method to avoid detection.\r\nIt is notable that additional macro variables were utilized in the installation of the libcurl.dll loader while both the\r\nGUP proxy tool and sodom configuration file remained the same. The libcurl.dll module contains the subsequent\r\nLookBack modules SodomNormal and SodomMain, which are responsible for configuring the local host proxy\r\nand performing remote access Trojan functions. This update may represent an attempt by actors to obscure the\r\ninstallation of second stage payloads. A more thorough description of LookBack module functionality was\r\nincluded in the initial Proofpoint blog on the malware.\r\nThe images below offer a comparison of the different macro versions after the majority of concatenation\r\ncharacters have been removed for legibility.\r\n July 2019 Macro\r\nFigure 2: July 2019 LookBack Phishing Macro (without concatenation)\r\nAugust 2019 Macro\r\nhttps://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals\r\nPage 4 of 8\n\nFigure 3: August 2019 LookBack Phishing Macro (without concatenation)\r\nCommand and Control Server\r\nAnalysts have determined that the LookBack samples from recent campaigns utilize the same command and\r\ncontrol (C\u0026C) server, 103.253.41[.]45, observed in July campaigns. The LookBack beacon is identifiable via the\r\nURL format below:\r\nC\u0026C host: 103.253.41[.]45 \r\nC\u0026C URL format: http://%s/status[.]gif?r=%d \r\nConclusion\r\nNewly discovered LookBack campaigns observed within the US utilities sector provides insight into an ongoing\r\nAPT campaign with custom malware and a very specific targeting profile. The threat actors demonstrate\r\npersistence when intrusion attempts have been foiled and appear to have been undeterred by publications\r\ndescribing their toolset. In addition to the technical commonalities observed, distinct commonalities among the\r\norganizations targeted have begun to emerge. The evolution of TTPs including updated macros demonstrates a\r\nfurther departure from tactics previously employed by known APT groups. However, at the current moment, the\r\ncreators of LookBack malware are yet to depart from their persistent focus on critical infrastructure providers in\r\nthe United States.    \r\nhttps://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals\r\nPage 5 of 8\n\nReferences\r\n[1]https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks\r\n \r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\nb5436fcb8243a14f683b5074084bb3d9ff56cad35d2db2fda53a57fa6c42a22b SHA256\r\nMicrosoft Word\r\nAttachment -\r\ntake the exam\r\nnow.doc\r\n0a79e053e1ca809aa4b0393a12ccd547462bd076dbfcd8f6228d08ce0f486afa SHA256\r\nBenign PDF -\r\nGEC-Handbook-Study-Guide-web.pdf\r\n589229e2bd93100049909edf9825dce24ff963a0c465d969027db34e2eb878b4 SHA256\r\nCertutil Tool -\r\nTemptcm.tmp\r\n449e1ead309934ac2276a5256cd105dd71d5dd14e49c65bdafc203a0d0eac894 SHA256\r\nSodom Module\r\nCongif -\r\nsodom.txt\r\n7e5d2994ac1668178db0ee995cf3b6e4b60d437a09fc10f7afe19b0231615ae2 SHA256\r\nSodom Modules\r\nC2 Config -\r\ntempsodom.txt\r\n0f951b7a68e9c0984a0bee3c44e2d64aeac6320bbc2ba2a0f1420893550cf441 SHA256\r\nGup Proxy –\r\nGUP.exe\r\nhttps://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals\r\nPage 6 of 8\n\nc87fa8aed595df1dea39a07abdd640842b1c24343841bd72e43668bcfba7eaf1  SHA256\r\nLibcurl.dll\r\nloader –\r\nLibcurl.dll\r\n248ff1a9fc2e2c465354f64172224a7c7c0c503cc03ce4524de1a2379692b017 SHA256\r\nMacro Variable\r\n- pense1.txt\r\n68ce133d4b18ddbf04da3462891dc04e945e499e8720183448ddf87e408b98a3 SHA256\r\nMacro Variable\r\n– pense2.txt\r\n4909d7092a45bc28fa54bb2ef82d426e30a6815fa33a7c00b38b4c3c42960d91 SHA256\r\nMacro Variable\r\n– pense31.txt\r\n05f434598b47a63f9f75ae54118fdf5747c02086ff91c1fdc9ac176cd54f102f SHA256\r\nMacro Variable\r\n– pense32.txt\r\na1bc6922c73726b0ff4e807ea8869ce0dae1b34bd32752f6708750c3f1fc7382 SHA256\r\nMacro Variable\r\n– pense33.txt\r\n06c8eb45345684a8d3ce35be695074d371fa9f79e549e39881298f547c9ffd18 SHA256\r\nMacro Variable\r\n– pense34.txt\r\n 6e73fd19e883d295c602f1ea349e14a03f8ff47f3dd588683c1f996853a56d98 SHA256\r\nMacro Variable\r\n– pense35.txt\r\nbcefb608cc66c93ea42bc5c50903432e6a37466229a534dfeefedfc7c07df1f9 SHA256\r\nMacro Variable\r\n– pense36.txt\r\nff98aea1046dd9f8eda0aa1496660742a4295545d061f811ffa2b45c29fdf4c5 SHA256\r\nMacro Variable\r\n– pense37.txt\r\n103.253.41[.]45 IP C\u0026C IP\r\nhttps://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals\r\nPage 7 of 8\n\n79.141.169[.]3 IP Sender IP\r\n103.253.41[.]75 IP Staging IP\r\nnceess[.]com Domain\r\nPhishing\r\nDomain\r\nglobalenergycertification[.]net Domain\r\nPhishing\r\nDomain\r\nET and ETPRO Suricata/Snort Signatures\r\n2837783 ETPRO TROJAN Win32/LookBack C\u0026C Activity\r\nSource: https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals\r\nhttps://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals" ], "report_names": [ "lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals" ], "threat_actors": [ { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434380, "ts_updated_at": 1775791484, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/650651b5709506938f58d9f016c40bf71e37acc6.pdf", "text": "https://archive.orkl.eu/650651b5709506938f58d9f016c40bf71e37acc6.txt", "img": "https://archive.orkl.eu/650651b5709506938f58d9f016c40bf71e37acc6.jpg" } }