Transport, shipping and utilities targeted in two new malware campaigns

One campaign involves an alleged state-sponsored threat group that has compromised at least 17 US utilities in the past five months

Security researchers have uncovered two new malware campaigns separately targeting the shipping industry and utilities in particular target countries.

According to the researchers at Proofpoint, the first malware campaign, which involves a state-sponsored threat group, has targeted at least 17 utilities in the US over a five-month period between 5^th April and 29^th August.

The group behind the campaign was observed using phishing emails to target employees at US utility firms. A successful attack infected systems with a remote access Trojan, dubbed LookBack, equipped with a variety of features.

While researchers have not yet attributed these attacks to any threat group, they believe Chinese hacking group APT10 could be behind them.

LookBack malware is written in C++ and gets downloaded on a system after a victim allows the macro script embedded in the DOC file to run on the system. After LookBack is installed on the system, it can view process and file data, delete files, click the mouse, reboot the machine, and perform a variety of other functions.

The malware uses a proxy communication tool to transmit data from infected system to its command & control server.

So far, LookBack has been observed specifically targeting US utilities in the energy sector, such as operators of nuclear plants, power grid infrastructure, coal plants, wind farms, and others.

In the second malware campaign, members of a threat group given the name xHunt, were observed using previously unknown tools to target transportation and shipping firms based in Kuwait.

According to security researchers at Palo Alto Networks' Unit 42, this campaign has been ongoing since at least May this year.

The attackers target a system by first installing a backdoor named Hisoka version 0.8, which facilitates the downloading of other malware, such as Gon, on infected systems.

Gon enables attackers to search for open ports, take screenshots, upload/download other files, execute commands and create their own RDP function.

With these capabilities, attackers can easily monitor the infected systems and eventually steal confidential information from them.

In earlier attacks carried out last year, hackers used a tool called Sakabota that appears to be an earlier version of Hisoka.

"The number of functions and variable names are exactly the same in both Sakabota and Hisoka, which infers that the same developer created both and spent little effort trying to hide this lineage," the researchers said.

Some of the infrastructure used by Gon, Sakabota, and Hisoka exhibits an overlap with another hacking campaign, named OilRig, Helix Kitten or APT 35, which researchers have linked with Iran.

But shared infrastructure does not mean that there is a definite connection between OilRig and xHunt attacks, the researchers said.