Skip to main content

Cyber Espionage Targeting Oil and Gas Companies on the Rise.

A global effort to steal information from energy companies is using sophisticated social engineering to deliver Agent Tesla and other RATs.

A sophisticated campaign targeting large international companies in the oil and gas sector has been underway for more than a year, researchers said, spreading common remote access trojans (RATs) for cyber-espionage purposes.

According to Intezer analysis, spear-phishing emails with malicious attachments are used to drop various RATs on infected machines, including Agent Tesla, AZORult, Formbook, Loki and Snake Keylogger, all bent on stealing sensitive data, banking information and browser information, and logging keyboard strokes.

While energy companies are the main targets, the campaign also has gone after a handful of organizations in the IT, manufacturing and media sectors, researchers said. Victims have been found around the world, including in Germany, United Arab Emirates (UAE) and the United States, but the primary targets are South Korean companies.

“The attack also targets oil and gas suppliers, possibly indicating that this is only the first stage in a wider campaign,” researchers noted in a Wednesday posting. “In the event of a successful breach, the attacker could use the compromised email account of the recipient to send spear-phishing emails to companies that work with the supplier, thus using the established reputation of the supplier to go after more targeted entities.”

One of the targeted companies is “drastically” different from the others, researchers noted, which may offer a clue as to the nature of the cyberattackers.

“The company is FEBC, a religious Korean Christian radio broadcaster that reaches other countries outside of South Korea, many of these countries which downplay or ban religion,” according to Intezer. “One of FEBC’s goals is to subvert the religion ban in North Korea.”

The Spear-Phishing Attack Vector.

To kick off the attack, the adversaries send emails tailored to employees at each company being targeted, researchers said. The recipient email addresses range from generic addresses (info@target_company[.]com, sales@target_company[.]com) to specific people within companies, suggesting varying levels of reconnaissance work on targets.

To lend a tricky sense of legitimacy, the email addresses used in the “From” field are typosquatted or spoofed, meant to look like emails from actual companies that would be familiar to the targets.

Typosquatting involves registering a domain name that mimics a legitimate domain, with a slight deviation such as including a hyphen or swapping out a letter. For instance, swapping a lowercase “L” with an uppercase “I” is a well-known tactic. Many of the email addresses in this particular campaign used the format of “sender@company-co.kr” instead of sender@company.co.kr, researchers said – a tell-tale difference that’s easy to miss if one is just skimming.

“The contents and sender of the emails are made to look like they are being sent from another company in the relevant industry offering a business partnership or opportunity,” according to Intezer. “The emails are formatted to look like valid correspondence between two companies.”

Other efforts to seem legitimate include making references to executives and using the physical addresses, logos and emails of legitimate companies in the body of the emails. They also include requests for quotations (RFQ), contracts and referrals/tenders to real projects related to the business of the targeted company, according to the posting.

Malware Disguised in Bogus PDF Attachments.

Each email has a malicious attachment with a seemingly complementary name related to the contents of the email body, according to Intezer. In actuality, it contains .NET malware, usually an .IMG, .ISO or .CAB file. These are all file types that are commonly used by attackers to evade detection from email-based antivirus scanners, researchers said: IMG/ISO files are part of the Universal Disk Format (UDF) which are disk images commonly used for DVDs; while Cabinet (.CAB) files are a type of archive file.

The files are, however, disguised as PDFs, using faux file extensions and icons in an effort to look less suspicious. Once the user double-clicks on the file, the content of the file is mounted, and the user can click the file to be executed.

Intezer also noted that to bypass detection from standard antivirus, the execution of the malware is fileless, meaning that it is loaded into memory without creating a file on disk.

A Social-Engineering Bonanza

While the technical aspects of the campaign are fairly routine, the cyberattackers really shine when it comes to social engineering and doing their homework on their targets, researchers said.

As an example, one email purported to be sent from Hyundai Engineering, and referenced a real combined cycle power plant project in Panama. The email asks the receiver to submit a bid for the supply of equipment to the project and offers further details and requirements “in the attached file” (containing the malware). The email also gives a hard deadline for bid submissions.

Another example involved a typosquatted email supposedly sent by Barend Jenje from GustoMSC, asking the recipient to sign an attached, purported non-disclosure agreement. GustoMSC is based in the Netherlands, specializing in offshore equipment and technology for the oil and gas industry. The email references the real Dunkirk offshore wind farm project, which is run by a consortium made up of several companies, two of which are mentioned in the email.

Another email that Intezer researchers analyzed was sent to an employee at GS E&C, a Korean contractor engaged in various global power plant projects. The email invited the person to submit both technical and commercial offers for the items described in the attachment, which pretended to be a material take off (MTO) document.

It was allegedly sent by Rashid Mahmood from China Petroleum Engineering & Construction Corp. (CPECC), and it contained a reference to the expansion project of an oil field in Abu Dhabi called BAB, which is the oldest operating field in the UAE.

“The content of the emails demonstrates that the threat actor is well-versed in business-to-business (B2B) correspondence,” researchers said. “This extra effort made by the attacker is likely to increase the credibility of the emails and lure victims into opening the malicious attachments.”

As good as the campaigners are at building credibility, some of the emails do contain red-flag mistakes. For instance, while the address provided in the above example is the actual address of CPECC in UAE, it said “reginal headquarter” instead of “regional headquarters.”

Comments

Popular posts from this blog

We Bring You Brief Series of Sanctions Against Uganda Government Officials.

📸: Gen Abel Kandiho. On 9-December-2021, USA slapped sanctions against the then CMI Commander Gen Abel Kandiho. 📸: Gen Kale Kayihura. On 9-December-2022, UK slapped sanctions against former Police Boss Gen Kale Kayihura. 📸: Commissioner General of Prisons, Johnson Byabashaija. Again on this 4-December-2023, the same USA has slapped sanctions against Uganda Prisons Commander Johnson Byabashaija over alleged torture and human rights abuses in Prisons across Uganda. We ask, has USA and UK made December as an LCM to slap sanctions against high ranking government officials in Uganda even when the sanctions just remain on paper without deeper investigations to ascertain logical conclusions or remedy to that effect ?. #iip_updates  #Information_is_Power  #we_inform_the_uninformed

How to Host a Website for Free From Your PC or Laptop.

Why pay for a web hosting service when your old computer can do the same thing? Learn how to self-host your site. If you're planning to launch a website but don't want to pay recurring monthly or annual hosting fees, you can use any old laptop or desktop PC to host a website for free. It's a great way to utilize your old system instead of throwing it away. In this guide, we will install and set up services on our 10-year-old laptop to host a WordPress, Joomla, or custom HTML or PHP-based website with a free SSL certificate. MAKEUSEOF VIDEO OF THE DAY Things You Will Need to Host a Website Following are the pre-requisites to host a website for free from home with just your computer: An old laptop or PC running Ubuntu Server. A registered domain name for your website Ethernet cable to connect the laptop or PC to router for reliable and fast connection Step 1: Update and Upgrade the Packages After  installing Ubuntu Server on your computer , execute the following c...

WHERE IS MINISTER OF SEX SIMON LOKODO?. (He deserves a battle of soda from me! Ministe`r esalanga mabee. He is quick to run after Mrs Dr Stella Nyanzi and other Opposition elements. Government aza aza edo zuu vaa kpere bua). Anyway, below is the article! POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit'  Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos. Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.

POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit' Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says  Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos . Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.