Wednesday, May 7, 2025
HomeComputer SecurityChinese State-Sponsored ATP 10 Hackers Launching Cyber Attack On U.S Utilities

Chinese State-Sponsored ATP 10 Hackers Launching Cyber Attack On U.S Utilities

Published on

SIEM as a Service

Follow Us on Google News

Researchers discovered a new malware dubbed “LookBack” distributed via spear-phishing email campaign to attack the entities in the United States.

Based on the telemetry data, the attack believed to be initiated by Chinese sponsored threat actors also known as APT 10, one of the sophisticated hacking group in the world and the group has a long history of targeting commercial activities including aviation, satellite, and maritime technology, industrial factory automation, finance, telecommunications and more.

Spear-phishing emails impersonate the US-based engineering licensing board and the email delivered from the threat actors who controlled domains nceess [.]com. Nceess[.]com which appears to be owned by the US National Council of Examiners for Engineering and Surveying.

- Advertisement - Google News

Further analysis revealed that the spear-phishing emails carried malicious word documents with the macro that tricks victims to enable it to drop the malware dubbed “Lookback”.

Researchers from Proofpoint found a remote access trojan associated with a proxy mechanism to establish a connection with the command & control server to communicate further operations.

Threat actors using a sophisticated delivery mechanism to deliver the Lookback malware to target the utilities and critical infrastructure.

LookBack  Malware  Exploitation  Process

Through Malicious document, threat actors try to install the LookBack malware by tricking victims to enable the VBA macro which drops the three Privacy Enhanced Mail (PEM) files to the host: tempgup.txt, tempgup2.txt, and tempsodom.txt. 

The result of LookBack malware execution, macro launches GUP.exe and the libcurl.dll loaders separately.

LookBack malware developed to act as a remote access trojan which is written in C++ that relies on a proxy communication tool which is responsible to transfer data from infected host to command & control server.

This RAT functionality is powerful enough to enumerate of services viewing of process, system, and file data; deleting files; executing commands; taking screenshots; moving and clicking the mouse; rebooting the machine and deleting itself from an infected host, Proofpoint reported.

Following components are carried by LookBack RAT,

A command and control proxy tool (referred to as GUP)  

A malware loader comprised of a legitimate libcurl.dll file with one export function modified to execute shellcode.  

A communications module (referred to as SodomNormal) which creates a C&C channel with the GUP proxy tool.  

A remote access Trojan component (referred to as SodomMain), which is delivered following decoding the initial beacon response received via the GUP proxy tool and the SodomNormal local host proxy module.  

A that is described in these components masquerade as legitimate opensource software and the legitimate GUP.exe versions were utilized that were digitally signed by Notepad++

The SodomMain module is LookBack malware’s remote access Trojan module that can send and receive numerous commands to the command and control server that including,

Get process listing 
Kill process 
Executes cmd[.] exe command 
Gets drive type 
Find files 
Read files 
Delete files 
Write to files 
Execute files 
Enumerate services 
Starts services 
Delete services 
Takes a screenshot of desktop 
Move/Click Mouse and take a screenshot  
Exit 
Removes self (libcurl[.] dll)  
Shutdown 
Reboot   

“The profile of this campaign is indicative of specific risk to US-based entities in the utility sector. Phishing emails leveraged the knowledge of the licensing bodies utilized within the utility sector for social engineering purposes that communicated urgency and relevance to their targets.” Proofpoint said.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Also Read:

Chinese APT 10 Group Hacked Nearly 10 Telecom Networks and Stealing Users Call Records, PII, Credentials, Email Data and more

Chinese APT 10 Hackers Attack Government and Private Organizations Through Previously Unknown Malware

Chinese Hackers from APT 10 Hacking Group Charged for a Cyber Attack on NASA

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Researchers Simulate DPRK’s Largest Cryptocurrency Heist Through Compromised macOS Developer and AWS Pivoting

Security researchers at Elastic have recreated the intricate details of the February 21, 2025,...

Lampion Banking Malware Uses ClickFix Lures to Steal Banking Credentials

Unit 42 researchers at Palo Alto Networks, a highly targeted malicious campaign orchestrated by...

DragonForce: Emerging Hybrid Cyber Threat in the 2025 Ransomware Landscape

DragonForce has swiftly risen as a formidable player in 2025, embodying a hybrid threat...

Mirai Botnet Actively Targeting GeoVision IoT Devices for Command Injection Exploits

The Akamai Security Intelligence and Response Team (SIRT) has identified active exploitation of command...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Researchers Simulate DPRK’s Largest Cryptocurrency Heist Through Compromised macOS Developer and AWS Pivoting

Security researchers at Elastic have recreated the intricate details of the February 21, 2025,...

Lampion Banking Malware Uses ClickFix Lures to Steal Banking Credentials

Unit 42 researchers at Palo Alto Networks, a highly targeted malicious campaign orchestrated by...

DragonForce: Emerging Hybrid Cyber Threat in the 2025 Ransomware Landscape

DragonForce has swiftly risen as a formidable player in 2025, embodying a hybrid threat...