LookBack is a remote access trojan written in C++ that was used against at least three US utility companies in July 2019. The TALONITE activity group has been observed using LookBack.[1][2][3]

ID: S0582
Platforms: Windows
Version: 1.0
Created: 01 March 2021
Last Modified: 26 April 2021

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

LookBack’s C2 proxy tool sends data to a C2 server over HTTP.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

LookBack sets up a Registry Run key to establish a persistence mechanism.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

LookBack executes the cmd.exe command.[1]

.005 Command and Scripting Interpreter: Visual Basic

LookBack has used VBA macros in Microsoft Word attachments to drop additional files to the host.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

LookBack has a function that decrypts malicious data.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

LookBack uses a modified version of RC4 for data transfer.[1]

Enterprise T1083 File and Directory Discovery

LookBack can retrieve file listings from the victim machine.[1]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

LookBack side loads its communications module as a DLL into the libcurl.dll loader.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

LookBack removes itself after execution and can delete files on the system.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

LookBack has a C2 proxy tool that masquerades as GUP.exe, which is software used by Notepad++.[1]

Enterprise T1095 Non-Application Layer Protocol

LookBack uses a custom binary protocol over sockets for C2 communications.[1]

Enterprise T1057 Process Discovery

LookBack can list running processes.[1]

Enterprise T1113 Screen Capture

LookBack can take desktop screenshots.[1]

Enterprise T1489 Service Stop

LookBack can kill processes and delete services.[1]

Enterprise T1007 System Service Discovery

LookBack can enumerate services on the victim machine.[1]

Enterprise T1529 System Shutdown/Reboot

LookBack can shutdown and reboot the victim machine.[1]