US companies targeted by fake NCEES emails

Spear phishing emails impersonating members of the US-based engineering licensing board have been targeting companies in the American utility sector.

Software and email security company, Proofpoint, say that the emails contained fraudulent logos of the National Council of Examiners for Engineering and Surveying (NCEES) and have been sent to numerous targeted businesses.

They also retained information that replicated real employee’s member ID and signatures and suggested the recipients had failed their NCEES test.

Messages originated from the I.P address 79.141.168[.]137 and are thought to come from an actor-controlled source.

“For apparently legitimate emails that are seeking for something quickly, it may be a good idea to double-check the author’s identity, for example by giving a call to the organisation in question.” Suggested Ilia Kolochenko, Founder and CEO of web security company ImmuniWeb.

Why send the emails?

The reason for the emails, which were identified between 19th and 25th July this year, was that they contained vicious malware hidden in Microsoft Word attachments. Which, according to Proofpoint: “uses macros to install and run malware that Proofpoint researchers have dubbed “LookBack.” This malware consists of a remote access Trojan (RAT) module and a proxy mechanism used for command and control (C&C) communication.”

Through RAT, the malware is able to take screenshots, delete files, reboot machines and delete itself from infected networks.

The software company believes this controversially could be the work of a state-sponsored APT actor, based on overlaps with historical campaigns and macros utilized.

Triggering the malware

Once the attachment is activated, three Privately Enhanced Mail (PEM) files containing malware are then released to the host. These being, tempgup.txt, tempgup2.txt, and tempsodom.txt.

Proofpoint explains: “Additionally, the file Temptcm.tmp, which is a version of certutil.exe, is dropped to decode the PEM files using Temptcm.tmp. The macro next creates a copy of the decoded PEM files restoring their proper file extensions with the Windows essentuti.exe. tempgup.txt becomes GUP.exe, which impersonates the name of an open-source binary used by Notepad++; tempgup2.txt becomes libcurl.dll, a malicious loader DLL file; and tempsodom.txt becomes sodom.txt, which contains command and control configuration data utilized by the malware. Finally, the macro launches GUP.exe and the libcurl.dll loader separately, resulting in the execution of LookBack malware.”

Detecting spear phishing emails

Kolochenko further commented on the situation, arguing that, luckily, it is easy to detect when a company is being targeted by spear phishing. He says: “Most of the ongoing spear-phishing campaigns, even the most carefully prepared ones, are detectable and thus preventable by continuous monitoring of anomalies and regular investment into employees’ security awareness and training. Many cybersecurity vendors offer both services, however, their implementation and management on the client side are frequently far from being perfect.

He continued to say that in order for companies to protect themselves, they should monitor security both vertically and horizontally. Kolochenko also suggests that individuals should also be trained up to protect themselves and businesses against potential cyber crime.