A new spear phishing campaign tries to inject malware into energy companies and their suppliers with cleverly forged e-mails, which are then used to spy out access data.
Energy, oil and gas companies and other companies from related industries are currently the focus of a sophisticated phishing campaign, as reported by cybersecurity company Intezer. The campaign, which has been active for at least a year, is intended to smuggle malware into the companies' networks, which then spies out user names, passwords and other sensitive information and forwards them to the criminal backers. According to Intezer's security experts, the current cases could be the first phase of a larger campaign.
Exceptionally well-structured phishing emails
It is noticeable that the phishing e-mails described are exceptionally well researched and therefore appear quite legitimate at first glance. For example, they contain references to executives, addresses of offices, official logos and requests for offers, contracts and refer to real projects in order to appear authentic. In a case described by the security researchers, a specific power plant project was used as bait in the phishing email. Such excellently researched and prepared campaigns are called spearphishing, because in contrast to normal phishing, criminals are very methodical and attack a very specific target instead of spreading their emails as widely as possible in the hope that someone will get into them Trap taps.
Dangerous PDF in the attachment
In the current case, the victims are to be tricked into clicking on an attachment that disguises itself as a PDF. In fact, however, it is an IMG, ISO or CAB file that forwards the user to an executable file, which in turn then gets the malware onto the computer. Different remote access tools are used, i.e. software for remote access such as Formbook, Agent Tesla or Loki, which in many cases are offered as malware-as-a-service. This in turn means that the people behind the campaign do not develop their tools themselves, but simply use them to order. The security researchers at Intezer warn that the campaign should be better camouflaged in this way, since the rented malware is also used in other criminal activities. This, in turn, could be an indication that these cases are the first stage of a larger campaign.
Attack on oil, gas and energy companies
The emails were sent to international companies that are active in the oil, gas and energy sectors, as well as in manufacturing and technology development. Among them are victims in the United States, the United Arab Emirates, Germany and South Korea. Nothing is currently known about the perpetrators of the attacks.
Parts of the infrastructure used have now been removed or switched off, but it is not unlikely that the campaign will continue to be active. Companies should therefore be extremely careful when it comes to incoming emails. Attachments and links in particular pose a danger that should not be underestimated, even if the sender and the email themselves appear legitimate.
More at 8.com
About 8com The 8com Cyber Defense Center effectively protects the digital infrastructures of 8coms customers from cyber attacks. It includes security information and event management (SIEM), vulnerability management and professional penetration tests. It also offers the setup and integration of an Information Security Management System (ISMS) including certification according to current standards. Awareness measures, security training and incident response management round off the offer.