Description of Campaign
This campaign targets United States-based companies in the utilities sector with spear phishing emails. The emails contain Word documents with malicious VBA macros which infect the host with the LookBack remote access trojan.
LookBack can:
- Enumerate services, processes, system, and file data.
- Reboot your host.
- Delete files and take screenshots.
- Control keyboard and mouse input, run shell commands, and remove itself from the host.
How to use this article:
- If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign.
- Review the product detection table and confirm that your environment is at least on the specified content version.
To download the latest content versions, go to the Security Updates page.
- Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
- Review KB91836 - Countermeasures for entry vector threats.
- Review KB87843 - Dynamic Application Containment rules and best practices.
- Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.
Campaign IOC:
| IOC Type |
IOC |
| MD5 |
807da72085bd1289d8431c94388a5c62 |
| MD5 |
a72bea9ea2125e2a60bce0fde07768f5 |
| MD5 |
c8571c43fe335af994028cb047514a95 |
| IP |
103.253.41.45 |
| IP |
79.141.168.137 |
| Domain |
nceess.com |
Minimum Content Versions:
| Content Type |
Version |
| V2 DAT (VirusScan Enterprise) |
9383 |
| V3 DAT (Endpoint Security) |
3834 |
Detection Summary:
| IOC |
Scanner |
Detection |
| 807da72085bd1289d8431c94388a5c62 |
AVEngine V2 |
BackDoor-LookBack |
| AVEngine V3 |
BackDoor-LookBack |
| JTI (ATP Rules) |
- |
| RP Static |
Real Protect-LS |
| RP Dynamic |
|
| IOC |
Scanner |
Detection |
| a72bea9ea2125e2a60bce0fde07768f5 |
AVEngine V2 |
BackDoor-LookBack!doc |
| AVEngine V3 |
BackDoor-LookBack!doc |
| JTI (ATP Rules) |
JTI/Suspect.196910 |
| RP Static |
- |
| RP Dynamic |
- |
| IOC |
Scanner |
Detection |
| c8571c43fe335af994028cb047514a95 |
AVEngine V2 |
BackDoor-LookBack |
| AVEngine V3 |
BackDoor-LookBack |
| JTI (ATP Rules) |
- |
| RP Static |
Real Protect-LS |
| RP Dynamic |
- |
Minimum set of Manual Rules to improve protection to block this campaign
IMPORTANT: When you implement new rules or signatures, always first set them to Report mode before setting them to Block.
Mitigate against triggering false positives when enabling new rules and signatures by always following best practices. For best practices for Endpoint Security Dynamic Application Containment rules, see:
KB87843 - Dynamic Application Containment rules and best practices.
Endpoint Security - Advanced Threat Protection:
Rule ID: 2 Use Enterprise file reputation to identify trusted or malicious files
Rule ID: 332 Prevent certutil.exe from downloaded files
Endpoint Security - Dynamic Application Containment:
Executing any child process
Writing to another process's memory
Closing another process
Suspending a process
Creating a thread in another process
Allocating memory in another process
Reading from another process's memory
Endpoint Security - Exploit Prevention:
Rule ID: 6107 MS Word trying to execute unwanted programs
Host Intrusion Prevention:
Rule ID: 6107 MS Word trying to execute unwanted programs
Aggressive set of Manual Rules to improve protection to block this campaign
IMPORTANT: When you implement new rules or signatures, always first set them to Report mode before setting them to Block.
Mitigate against triggering false positives when enabling new rules and signatures by always following best practices. For best practices for Endpoint Security Dynamic Application Containment rules, see:
KB87843 - Dynamic Application Containment rules and best practices.
Endpoint Security - Access Protection Custom Rules:
Rule: 1
Executables (Include): winword.exe
Subrules:
Subrule Type: Files
Operations: Create
Targets (Include):
?:\users\*\appdata\local\temp\*.txt
Endpoint Security - Access Protection Rules:
Registering of programs to autorun
Endpoint Security - Dynamic Application Containment:
Modifying users' data folders
Virusscan Enterprise - Access Protection Rules:
Prevent programs registering to autorun
VirusScan Enterprise - Access Protection Custom Rules:
Rule: 1
Rule Type: File
Process to include: winword.exe
File or folder name to block: *\users\*\appdata\local\temp\*.txt
File actions to prevent: Create
Host Intrusion Prevention:
Rule ID: 1148 CMD Tool Access by a Network Aware Application
Rule ID: 6010 Generic Application Hooking Protection
Rule ID: 6011 Generic Application Invocation Protection
Rule ID: 1020 Windows Agent Shielding - File Access
Rule ID: 6010 Generic Application Hooking Protection
