SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lookback (Back to overview)

Lookback

Actor(s): TA410


There is no description at this point.

References
2020-06-08ProofpointMichael Raggi, Dennis Schwarz, Georgi Mladenov, Proofpoint Threat Research Team
@online{raggi:20200608:ta410:f838522, author = {Michael Raggi and Dennis Schwarz and Georgi Mladenov and Proofpoint Threat Research Team}, title = {{TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware}}, date = {2020-06-08}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new}, language = {English}, urldate = {2020-06-09} } TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware
FlowCloud Lookback TA410
2020-01DragosJoe Slowik
@techreport{slowik:202001:threat:d891011, author = {Joe Slowik}, title = {{Threat Intelligence and the Limits of Malware Analysis}}, date = {2020-01}, institution = {Dragos}, url = {https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf}, language = {English}, urldate = {2020-06-10} } Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX
2019-09-22ProofpointMichael Raggi, Proofpoint Threat Insight Team
@online{raggi:20190922:lookback:51454f7, author = {Michael Raggi and Proofpoint Threat Insight Team}, title = {{LookBack Forges Ahead: Continued Targeting of the United States’ Utilities Sector Reveals Additional Adversary TTPs}}, date = {2019-09-22}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals}, language = {English}, urldate = {2019-12-20} } LookBack Forges Ahead: Continued Targeting of the United States’ Utilities Sector Reveals Additional Adversary TTPs
Lookback TA410
2019-08-21ThreatgenPascal Ackerman
@online{ackerman:20190821:taking:3b8daac, author = {Pascal Ackerman}, title = {{Taking a Closer Look at the LookBack Malware Campaign – Part 1}}, date = {2019-08-21}, organization = {Threatgen}, url = {https://threatgen.com/taking-a-closer-look-at-the-lookback-malware-campaign-part-1/}, language = {English}, urldate = {2020-01-13} } Taking a Closer Look at the LookBack Malware Campaign – Part 1
Lookback
2019-08-01ProofpointMichael Raggi, Dennis Schwarz, Proofpoint Threat Insight Team
@online{raggi:20190801:lookback:f258db4, author = {Michael Raggi and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards}}, date = {2019-08-01}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks}, language = {English}, urldate = {2019-12-20} } LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards
GUP Proxy Tool Lookback TA410
Yara Rules
[TLP:WHITE] win_lookback_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_lookback_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lookback"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 72f1 33c9 8bc1 99 83e203 03c2 }
            // n = 6, score = 200
            //   72f1                 | jb                  0xfffffff3
            //   33c9                 | xor                 ecx, ecx
            //   8bc1                 | mov                 eax, ecx
            //   99                   | cdq                 
            //   83e203               | and                 edx, 3
            //   03c2                 | add                 eax, edx

        $sequence_1 = { 8b542424 33c9 894c2402 33c0 894c2406 89442412 894c240a }
            // n = 7, score = 200
            //   8b542424             | mov                 edx, dword ptr [esp + 0x24]
            //   33c9                 | xor                 ecx, ecx
            //   894c2402             | mov                 dword ptr [esp + 2], ecx
            //   33c0                 | xor                 eax, eax
            //   894c2406             | mov                 dword ptr [esp + 6], ecx
            //   89442412             | mov                 dword ptr [esp + 0x12], eax
            //   894c240a             | mov                 dword ptr [esp + 0xa], ecx

        $sequence_2 = { eb09 8b16 8bc7 03c2 83c002 }
            // n = 5, score = 200
            //   eb09                 | jmp                 0xb
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   8bc7                 | mov                 eax, edi
            //   03c2                 | add                 eax, edx
            //   83c002               | add                 eax, 2

        $sequence_3 = { 83c408 8b4a04 8d7a18 8bd1 c1e902 }
            // n = 5, score = 200
            //   83c408               | add                 esp, 8
            //   8b4a04               | mov                 ecx, dword ptr [edx + 4]
            //   8d7a18               | lea                 edi, [edx + 0x18]
            //   8bd1                 | mov                 edx, ecx
            //   c1e902               | shr                 ecx, 2

        $sequence_4 = { 57 6880020000 8901 c744241480020000 66894104 e8???????? }
            // n = 6, score = 200
            //   57                   | push                edi
            //   6880020000           | push                0x280
            //   8901                 | mov                 dword ptr [ecx], eax
            //   c744241480020000     | mov                 dword ptr [esp + 0x14], 0x280
            //   66894104             | mov                 word ptr [ecx + 4], ax
            //   e8????????           |                     

        $sequence_5 = { 0f8498010000 8b15???????? 8b35???????? 6aff 52 ffd6 }
            // n = 6, score = 200
            //   0f8498010000         | je                  0x19e
            //   8b15????????         |                     
            //   8b35????????         |                     
            //   6aff                 | push                -1
            //   52                   | push                edx
            //   ffd6                 | call                esi

        $sequence_6 = { 8b4c242c 8b542430 894308 8b442428 }
            // n = 4, score = 200
            //   8b4c242c             | mov                 ecx, dword ptr [esp + 0x2c]
            //   8b542430             | mov                 edx, dword ptr [esp + 0x30]
            //   894308               | mov                 dword ptr [ebx + 8], eax
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]

        $sequence_7 = { 89442410 7e73 8bd1 8b02 8b742420 03c7 }
            // n = 6, score = 200
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   7e73                 | jle                 0x75
            //   8bd1                 | mov                 edx, ecx
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   8b742420             | mov                 esi, dword ptr [esp + 0x20]
            //   03c7                 | add                 eax, edi

        $sequence_8 = { 68???????? f3ab 8b84246c030000 895c2420 }
            // n = 4, score = 200
            //   68????????           |                     
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8b84246c030000       | mov                 eax, dword ptr [esp + 0x36c]
            //   895c2420             | mov                 dword ptr [esp + 0x20], ebx

        $sequence_9 = { 83c408 8d0480 8d0480 8d0c80 c1e103 51 }
            // n = 6, score = 200
            //   83c408               | add                 esp, 8
            //   8d0480               | lea                 eax, [eax + eax*4]
            //   8d0480               | lea                 eax, [eax + eax*4]
            //   8d0c80               | lea                 ecx, [eax + eax*4]
            //   c1e103               | shl                 ecx, 3
            //   51                   | push                ecx

    condition:
        7 of them and filesize < 131072
}
Download all Yara Rules