Like American crude oil crushed On Monday, leading to the bizarre situation of a negative futures price, our attention was drawn to a harpooning campaign against organizations involved in global oil production.
Bitdefender people detailed today a targeted spy mission against oil and energy companies around the world. Phishing peaked on March 31, just before the scheduled OPEC meeting of oil-producing countries, many of which were targeted, we are told.
The lure itself seemed rather mundane: targets from various companies received phishing emails containing duplicate Windows spyware Tesla Agent disguised as a report or attached form. If opened, the Tesla agent would run and use a Yandex mail server – smtp.yandex.com – to receive orders from its masters and respond with stolen data, likely via email. These commands told the software what to collect, such as password keys, clipboard content, etc., which were duly sent to the person behind the phishing campaign.
What is unique in this case is the very specific group of targeted companies, said Bitdefender. Some key oil organizations around the world have received emails from one of their own: the Egyptian oil and gas engineering firm Enppi.
“The imitated engineering contractor (Enppi – Engineering for Petroleum and Process Industries) has experience in onshore and offshore oil and gas projects, with attackers abusing his reputation to target the industry energy in Malaysia, the United States, Iran, South Africa, Oman. and Turkey, among others, “said the Bitdefender Labs team.
A second, much smaller phishing operation usurped the identity of a shipping company based in the Philippines and targeted oil and gas companies there.
The identity and location of these targets is essential to understanding the gravity of the attack and how it relates to current events. Each of the targeted companies is located in countries which are major players in the world oil market.
Google: We have blocked 126 million COVID-19 phishing scams in the past week
Following the drop in demand for oil and economic instability, amid the coronavirus pandemic, OPEC has reduce the production of fossil fuels, forcing energy companies and their buyers and suppliers around the world to struggle and adapt. As supply exceeds demand, barrels of unwanted oil accumulate, forcing prices to prices so low that some distributors pay people to take them away.
This, it seems, is what the attackers are looking for; details of the strategies that the oil and energy companies are following to deal with the reductions.
“While phishing attacks on oil and gas may be part of a trade email compromise scam, the fact that it removes Agent Tesla's information thief suggests that these campaigns could be more spying-oriented, “said Liviu Arsene, senior electronic threat analyst at Bitdefender. The register.
“Threat actors who may have issues in the prices or developments of oil and gas can be responsible, especially when you consider the targeted vertical niche and the ongoing oil crisis.”
In other words, someone, perhaps a private energy company, or a state-supported hacking group, or even a combination of the two, wants to keep an eye on how companies are coping. to the oil crisis in order to be able to react or even move ahead of the markets.
While the infrastructure, especially the use of an ordinary Yandex server, could cause speculation about attackers being Russian, Arsene warns against reading too much in the host, as it is quite common for operators malware to use legitimate and busy services around the world to communicate.
“It is not uncommon for attackers to abuse legitimate services, such as email services or social media platforms, for command and control,” Arsene explained to El Reg.
“Communication between the victim and the attacker would go through a legitimate service, which seems legitimate to security tools. Hackers also prefer places where the skill of law enforcement is difficult and requires a number of approvals extended to access the server. ”
Administrators are advised to ensure that users are protected from the Tesla Agent Trojan (as it has been around since 2014, most antivirus software should detect it) and, if applicable, Bitdefender has provided a hash list of files to block and compromise indicators in its report above. ®
Webcast: Build the Next Generation of Your Business in the Public Cloud