S0582 LookBack
LookBack is a remote access trojan written in C++ that was used against at least three US utility companies in July 2019. The TALONITE activity group has been observed using LookBack.123
| Item | Value |
|---|---|
| ID | S0582 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 01 March 2021 |
| Last Modified | 26 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | LookBack’s C2 proxy tool sends data to a C2 server over HTTP.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | LookBack sets up a Registry Run key to establish a persistence mechanism.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | LookBack executes the cmd.exe command.1 |
| enterprise | T1059.005 | Visual Basic | LookBack has used VBA macros in Microsoft Word attachments to drop additional files to the host.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | LookBack has a function that decrypts malicious data.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | LookBack uses a modified version of RC4 for data transfer.1 |
| enterprise | T1083 | File and Directory Discovery | LookBack can retrieve file listings from the victim machine.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.002 | DLL Side-Loading | LookBack side loads its communications module as a DLL into the libcurl.dll loader.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | LookBack removes itself after execution and can delete files on the system.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | LookBack has a C2 proxy tool that masquerades as GUP.exe, which is software used by Notepad++.1 |
| enterprise | T1095 | Non-Application Layer Protocol | LookBack uses a custom binary protocol over sockets for C2 communications.1 |
| enterprise | T1057 | Process Discovery | LookBack can list running processes.1 |
| enterprise | T1113 | Screen Capture | LookBack can take desktop screenshots.1 |
| enterprise | T1489 | Service Stop | LookBack can kill processes and delete services.1 |
| enterprise | T1007 | System Service Discovery | LookBack can enumerate services on the victim machine.1 |
| enterprise | T1529 | System Shutdown/Reboot | LookBack can shutdown and reboot the victim machine.1 |