LookBack

LookBack is a RAT or Remote Access Trojan that includes fully fleshed-out features for giving control of the PC over to a remote attacker. LookBack attacks are targeting sensitively-placed employees, such as workers in the US energy sector, and could be benefiting from state-sponsored logistical support. Users should abide by all recommend network security guidelines and let their anti-malware services delete LookBack once they identify it.

Failing Your E-mail Security Exam

Security solutions blocked a series of intrusion attempts involving the ubiquitous strategy of e-mail phishing attacks recently. These incidents are far from fresh, but this specific series of events led to the discovery of a new 'brand' of backdoor Trojan and RAT: LookBack. Some of the exploit stylings in its delivery stages suggest a connection to APT10, the China-based hackers that also run with Trojans like Anel, ChChes, Trochilus, and the intimidatingly-dubbed Reaver.

The telltale exploits – a series of concatenated macros inside of corrupted Word documents – compromise victims by pretending that they're content associated with failing an engineering licensing exam. As the theme would suggest, the e-mail messages that carry these Trojan droppers include details appropriate to the targets, such as references to the NCEES non-profit group.

Malware researchers fail at noting any characteristics in the then-installed LookBack that would make it stand out among espionage-themed backdoor Trojans, except for the sheer width of its attack possibilities. LookBack can contact a C&C server through a proxy, perform file operations like reading or downloading, control both services and memory processes, issue shell commands to the system, and exfiltrate information via standard methods like screen-grabbing.

Looking Back Over a Well-Hidden Threat

Besides its host of features and possible ties to menuPass, includes some self-obfuscating features that aren't standard for even state-sponsored Trojans with backdoor features. The proxy component mimics an open-source update-management platform that's in use by various programs, such as Notepad++. One of its other files hides as a mostly-benign DLL, except for a single function that helps with the Trojan's system persistence and C&C communications.

There are simple means of protection available for any future victims of LookBack's campaigns, including:

• Most builds of Word keep macros inactive until the user enables them intentionally. Updating office productivity apps to their latest versions and disallowing macros that aren't definitively safe will protect workplaces from the majority of spear phishing exploits.
• Workers should receive anti-phishing training and be equipped to spot the signs of these attacks, which will, often, include customized content that's specific to their industry or company. Attached documents or spreadsheets and shortened or spoofed links should be the subject of all due suspicion.
• All logins should use robust passwords that can withstand brute-force attacks, and network admins should monitor all software version control and the usage of RDP closely.

The presence of a fake or unauthorized version of WinGup can be an indicator that of a LookBack infection. However, manual identification is unlikely and not a substitute for keeping available anti-malware programs for removing LookBack proactively.

The double-sided nature of needing invasive attack capabilities, in conjunction with a chameleon-like system persistence, always is a dilemma when designing intelligence-gathering software. Ominously, LookBack shows one of the ways that threat actors are moving forward by satisfying both these requirements with ever-more proficiency.