Skip to content

S0582 LookBack

LookBack is a remote access trojan written in C++ that was used against at least three US utility companies in July 2019. The TALONITE activity group has been observed using LookBack.123

Item Value
ID S0582
Associated Names
Version 1.0
Created 01 March 2021
Last Modified 26 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols LookBack’s C2 proxy tool sends data to a C2 server over HTTP.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder LookBack sets up a Registry Run key to establish a persistence mechanism.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell LookBack executes the cmd.exe command.1
enterprise T1059.005 Visual Basic LookBack has used VBA macros in Microsoft Word attachments to drop additional files to the host.1
enterprise T1140 Deobfuscate/Decode Files or Information LookBack has a function that decrypts malicious data.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography LookBack uses a modified version of RC4 for data transfer.1
enterprise T1083 File and Directory Discovery LookBack can retrieve file listings from the victim machine.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading LookBack side loads its communications module as a DLL into the libcurl.dll loader.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion LookBack removes itself after execution and can delete files on the system.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location LookBack has a C2 proxy tool that masquerades as GUP.exe, which is software used by Notepad++.1
enterprise T1095 Non-Application Layer Protocol LookBack uses a custom binary protocol over sockets for C2 communications.1
enterprise T1057 Process Discovery LookBack can list running processes.1
enterprise T1113 Screen Capture LookBack can take desktop screenshots.1
enterprise T1489 Service Stop LookBack can kill processes and delete services.1
enterprise T1007 System Service Discovery LookBack can enumerate services on the victim machine.1
enterprise T1529 System Shutdown/Reboot LookBack can shutdown and reboot the victim machine.1