LookBack malware is a remote access Trojan written in C++ that relies on a proxy communication tool to relay data from the infected host to a command and control IP. When this function is executed, the Sodom Normal communications module begins running within Libcurl.dll. In addition to loading the communications module, the initial macro described above configures a persistence mechanism for this malware loader by setting up a Registry Run key.

The non-concatenated command included in the macro that establishes persistence for Libcurl.dll and the hash for this sample are included below.  cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Curl Update /f /d rundll32.exe C:\Users\Public\libcurl.dll, #52

How LookBack Works

LookBack malware is a remote access Trojan written in C++ that relies on a proxy communication tool to relay data from the infected host to a command and control IP. When this function is executed, the Sodom Normal communications module begins running within Libcurl.dll. In addition to loading the communications module, the initial macro described above configures a persistence mechanism for this malware loader by setting up a Registry Run key.

The non-concatenated command included in the macro that establishes persistence for Libcurl.dll and the hash for this sample are included below.  cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Curl Update /f /d rundll32.exe C:\Users\Public\libcurl.dll, #52

How LookBack Works

According to the report by Proofpoint, LookBack is a RAT that relies on a proxy communication tool to relay data from the infected host to a command-and-control server (C2). The malware can view process, system and file data; delete files; take screenshots; move and click the infected system’s mouse; reboot machines; and delete itself from an infected host.

Researchers said that the LookBack spearphishing campaign used tactics once used by known APT adversaries targeting Japanese corporations in 2018 – which highlights the rapidly evolving nature of malware and its use by nation-state actors.

The Microsoft Word document attached to the phishing emails contains a VBA macro that drops three different Privacy Enhanced Mail (PEM) files when executed. Certutil.exe is then dropped to decode PEM files, which are later restored to their true extensions using essentuti.exe. The files then impersonate the name of an open-source binary used by common tools like Notepad++, which contains the C2 configuration. Finally, the macro runs GUP.exe and libcurl.dll to execute the LookBack malware. Once executed, LookBack can send and receive numerous commands, such as Find files, Read files, Delete files, Write to files, Start services, and more.

According to the report by Proofpoint, LookBack is a RAT that relies on a proxy communication tool to relay data from the infected host to a command-and-control server (C2). The malware can view process, system and file data; delete files; take screenshots; move and click the infected system’s mouse; reboot machines; and delete itself from an infected host.

Researchers said that the LookBack spearphishing campaign used tactics once used by known APT adversaries targeting Japanese corporations in 2018 – which highlights the rapidly evolving nature of malware and its use by nation-state actors.

The Microsoft Word document attached to the phishing emails contains a VBA macro that drops three different Privacy Enhanced Mail (PEM) files when executed. Certutil.exe is then dropped to decode PEM files, which are later restored to their true extensions using essentuti.exe. The files then impersonate the name of an open-source binary used by common tools like Notepad++, which contains the C2 configuration. Finally, the macro runs GUP.exe and libcurl.dll to execute the LookBack malware. Once executed, LookBack can send and receive numerous commands, such as Find files, Read files, Delete files, Write to files, Start services, and more.

For any Cyber Security information contact help@theweborion.com