Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 12:58:05 UTC
Home > List all groups > List all tools > List all groups using tool SodomNormal
 Tool: SodomNormal
Names SodomNormal
Category Malware
Type Exfiltration, Tunneling
Description
(Proofpoint) The SodomNormal Communications module runs within the libcurl.dll loader as
a loaded DLL. Its primary function is to communicate data gathered by the SodomMain remote
access Trojan module with the GUP Proxy Tool. It attempts to acquire an existing
configuration from the file sodom.ini. However, it appears the configuration is dropped in the
file sodom.txt instead. If that configuration is not available, it utilizes a hardcoded
configuration in the binary.
The tool uses a custom binary protocol over sockets for its command and control
communication with the GUP Proxy Tool and all transferred data is encrypted using a
modified version of RC4 encryption. It has limited functionality which includes an initial
beacon, an initial beacon response that includes encoded data containing the SodomMain RAT,
and a command poll which passes header and decrypted data in an exported function enabling
the SodomMain RAT to run.
Information
<https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks>
Last change to this tool card: 20 April 2020
Download this tool card in JSON format
All groups using tool SodomNormal
Changed Name Country Observed
APT groups
  LookBack, TA410 [Unknown] 2019-Feb 2022  
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c3cba930-cea7-4a10-8a8d-d51044f34e47
Page 1 of 2

1 group listed (1 APT, 0 other, 0 unknown)
Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c3cba930-cea7-4a10-8a8d-d51044f34e47
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=c3cba930-cea7-4a10-8a8d-d51044f34e47
Page 2 of 2