Critical infrastructure
Industries
Mining, Oil & Gas
News
Reports
Utilities: Energy & Power, Water, Waste

Energy, O&G companies and suppliers hit by global email phishing campaign

July 12, 2021
email phishing

Researchers from security company Intezer have detected a sophisticated email phishing campaign targeting large international companies in the energy, oil and gas, and electronics industries. The cyber attackers have typically used typosquatting and spoofed emails, and available data indicates that the malicious activities have been ongoing for the last year.

The campaign spreads via phishing emails tailored for employees at each company being targeted. The contents and sender of the emails are made to look like they are from another company in the relevant industry, offering a business partnership or opportunity, Nicole Fishbein and Ryan Robinson, both Intezer researchers wrote in a blog post

“Each email has an attachment, usually an IMG, ISO or CAB file. These file formats are commonly used by attackers to evade detection from email-based Antivirus scanners. Once the victim opens the attachment and clicks on one of the contained files an information stealer is executed,” according to the researchers. The dropped malware is generally able to steal private information, log keyboard strokes and steal browsing data, they added.

The email phishing attack targets companies from around the world, including the U.S., UAE and Germany, but its primary targets are South Korean companies. While the targeted industries are wide-ranging, they are mostly in the energy sector, Intezer said.

The emails are formatted to look like valid correspondence between two companies. This extra effort made by the attacker is likely to increase the credibility of the emails and lure victims into opening the malicious attachments. The emails use social engineering tactics such as making references to executives, using physical addresses, logos and emails of legitimate companies. They also include requests for quotations (RFQ), contracts, and referrals/tenders to real projects related to the business of the targeted company.

Intezer researchers also said that the recipient email addresses of these emails range from generic email handles such as “info@target_company[.]com” or “sales@target_company[.]com” to specific people within companies, thereby suggesting that for some companies they have likely managed to gather more intelligence during reconnaissance than others.

In several emails, it appears the sender domains have been typosquatted in order to increase the credibility of the spear phishing attempt. Typosquatted domains are a technique used to social engineer email recipients into thinking an email has been sent from a trusted entity. The technique is performed by registering a domain name that usually mimics a legitimate domain. When viewed quickly, it can increase the chances of the recipient thinking that the email has been sent from a legitimate company.

Many email addresses in this campaign are spoofed by the actor. Email spoofing is another tactic that is used to social engineer targets into opening emails. Email spoofing is done by sending an email with forged headers to suggest that the email is sent from a trusted or legitimate entity. 

The email phishing campaign has used several known Remote Access Tools (RATs) and information stealing malware contained in the files attached to the phishing emails. “Although the threats belong to different malware families, they do share a number of capabilities including: stealing private and banking information, logging keyboard strokes and stealing browsing data,” according to the researchers. “There are several known malware-as-a-service (MaaS) threats like Formbook and Agent Tesla used in this campaign. Other threats we have identified are Loki, Snake Keylogger and AZORult.”

Each email has an attached file containing one or more executables encapsulated inside an IMG, ISO, or CAB file, each belonging to one of the threats mentioned above. In Windows 8 and Windows 10, double-clicking on virtual disk files will automatically mount its content. The feature is appealing for threat actors because it takes a small number of user clicks to execute the malware. 

The distribution method for the malware appears to be spear phishing emails, with either an IMG, ISO, or CAB file included as an attachment and sent to specific targets. The IMG/ISO files are part of the Universal Disk Format (UDF) which are disk images commonly used for DVDs. Cabinet (CAB) files are a type of archive file. In most of these emails the file name and icon of the attachment mimics a PDF. The purpose is to make the file look less suspicious, enticing the targeted individual to open and read it.

“To bypass detection from standard Antiviruses, the execution of the malware is fileless, meaning that it is loaded into memory without creating a file on disk,” the researchers said.

A recent report from Panda Security detected that fileless malware rates in 2020 increased by close to 900 percent over 2019. These threats can be particularly dangerous due to their ability to evade detection by traditional endpoint protection clients and because they can succeed without victims doing anything beyond clicking a malicious link or unknowingly visiting a compromised website. 

“Toolkits like PowerSploit and CobaltStrike allow threat actors to easily inject malicious code into other running processes and remain operational even if the victim’s defenses identify and remove the original script. Deploying endpoint detection and response solutions alongside preventative anti-malware can help identify these threats,” according to the report.

Another key threat with this email phishing campaign is that in the event of a successful breach, the attacker could use the compromised email account of the recipient to send spear phishing emails to companies that work with the supplier, thus using the established reputation of the supplier to go after more targeted entities.

Intezer recommends that companies in the energy, oil and gas, and electronics sector treat emails with awareness and caution, especially emails that are received from outside the company’s domain. Apart from this, suspicious files and links should not be opened, or clicked on. Organizations must also have a solution that handles fileless malware in-memory effectively. 

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base