Researchers from security company Intezer have detected a sophisticated email phishing campaign targeting large international companies in the energy, oil and gas, and electronics industries. The cyber attackers have typically used typosquatting and spoofed emails, and available data indicates that the malicious activities have been ongoing for the last year.
The campaign spreads via phishing emails tailored for employees at each company being targeted. The contents and sender of the emails are made to look like they are from another company in the relevant industry, offering a business partnership or opportunity, Nicole Fishbein and Ryan Robinson, both Intezer researchers wrote in a blog post.
“Each email has an attachment, usually an IMG, ISO or CAB file. These file formats are commonly used by attackers to evade detection from email-based Antivirus scanners. Once the victim opens the attachment and clicks on one of the contained files an information stealer is executed,” according to the researchers. The dropped malware is generally able to steal private information, log keyboard strokes and steal browsing data, they added.
The email phishing attack targets companies from around the world, including the U.S., UAE and Germany, but its primary targets are South Korean companies. While the targeted industries are wide-ranging, they are mostly in the energy sector, Intezer said.
The emails are formatted to look like valid correspondence between two companies. This extra effort made by the attacker is likely to increase the credibility of the emails and lure victims into opening the malicious attachments. The emails use social engineering tactics such as making references to executives, using physical addresses, logos and emails of legitimate companies. They also include requests for quotations (RFQ), contracts, and referrals/tenders to real projects related to the business of the targeted company.
Intezer researchers also said that the recipient email addresses of these emails range from generic email handles such as “info@target_company[.]com” or “sales@target_company[.]com” to specific people within companies, thereby suggesting that for some companies they have likely managed to gather more intelligence during reconnaissance than others.
In several emails, it appears the sender domains have been typosquatted in order to increase the credibility of the spear phishing attempt. Typosquatted domains are a technique used to social engineer email recipients into thinking an email has been sent from a trusted entity. The technique is performed by registering a domain name that usually mimics a legitimate domain. When viewed quickly, it can increase the chances of the recipient thinking that the email has been sent from a legitimate company.
Many email addresses in this campaign are spoofed by the actor. Email spoofing is another tactic that is used to social engineer targets into opening emails. Email spoofing is done by sending an email with forged headers to suggest that the email is sent from a trusted or legitimate entity.
The email phishing campaign has used several known Remote Access Tools (RATs) and information stealing malware contained in the files attached to the phishing emails. “Although the threats belong to different malware families, they do share a number of capabilities including: stealing private and banking information, logging keyboard strokes and stealing browsing data,” according to the researchers. “There are several known malware-as-a-service (MaaS) threats like Formbook and Agent Tesla used in this campaign. Other threats we have identified are Loki, Snake Keylogger and AZORult.”
Each email has an attached file containing one or more executables encapsulated inside an IMG, ISO, or CAB file, each belonging to one of the threats mentioned above. In Windows 8 and Windows 10, double-clicking on virtual disk files will automatically mount its content. The feature is appealing for threat actors because it takes a small number of user clicks to execute the malware.
The distribution method for the malware appears to be spear phishing emails, with either an IMG, ISO, or CAB file included as an attachment and sent to specific targets. The IMG/ISO files are part of the Universal Disk Format (UDF) which are disk images commonly used for DVDs. Cabinet (CAB) files are a type of archive file. In most of these emails the file name and icon of the attachment mimics a PDF. The purpose is to make the file look less suspicious, enticing the targeted individual to open and read it.
“To bypass detection from standard Antiviruses, the execution of the malware is fileless, meaning that it is loaded into memory without creating a file on disk,” the researchers said.
A recent report from Panda Security detected that fileless malware rates in 2020 increased by close to 900 percent over 2019. These threats can be particularly dangerous due to their ability to evade detection by traditional endpoint protection clients and because they can succeed without victims doing anything beyond clicking a malicious link or unknowingly visiting a compromised website.
“Toolkits like PowerSploit and CobaltStrike allow threat actors to easily inject malicious code into other running processes and remain operational even if the victim’s defenses identify and remove the original script. Deploying endpoint detection and response solutions alongside preventative anti-malware can help identify these threats,” according to the report.
Another key threat with this email phishing campaign is that in the event of a successful breach, the attacker could use the compromised email account of the recipient to send spear phishing emails to companies that work with the supplier, thus using the established reputation of the supplier to go after more targeted entities.
Intezer recommends that companies in the energy, oil and gas, and electronics sector treat emails with awareness and caution, especially emails that are received from outside the company’s domain. Apart from this, suspicious files and links should not be opened, or clicked on. Organizations must also have a solution that handles fileless malware in-memory effectively.