These phishing emails want to deliver password-stealing malware to energy companies and their suppliers

Cyber criminals are targeting energy, oil and gas and other companies around the world with a phishing campaign designed to deliver malware capable of stealing usernames, passwords and other sensitive information in what’s believed to be the first stage of a wider campaign. 

Detailed by cybersecurity company Intezer, the phishing campaign has been active for at least a year and those behind it appear to have put a lot of effort into making the phishing emails look as legitimate as possible.

The phishing emails include references to executives, addresses of offices, official logos and requests for quotations, contracts and refer to real projects in order to look authentic. 

Cyber criminals have sent the emails to international companies in oil and gas, energy, manufacturing and technology around the world, with targets including companies in the United States, United Arab Emirates, Germany and South Korea. 

In one case detailed by researchers, the phishing email referred to a specific power plant project as a lure.

This phishing email and others invite the victim to click on an attachment designed to look like a PDF but is actually is an IMG, ISO, or CAB file which redirects users to an executable file – if this is run, it will install malware on the PC. 

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Several different forms of Remote Access Tools (RATs) and information stealing malware are being deployed in these attacks, including Formbook, Agent Tesla and Loki. Many of these are malware-as-a-service operations, meaning that those behind the phishing attacks are leasing malware, rather than developing it themselves. 

“It appears that the use of malware-as-a-service threats helps blend in with the noise of other malicious activity. It appears that they are casting a wide net with these types of threats and also targeting a lot of small-medium sized suppliers. Both might also indicate that this is the first stage in what may be wider activity,” Ryan Robinson, a security researcher at Intezer told ZDNet. 

It’s currently unknown who exactly is behind the phishing attacks, but Robinson says their methods “show a decent level of sophistication.” 

While some of the infrastructure around the attacks has been removed, it’s likely that the phishing campaign remains active. 

“Treat emails with awareness and caution, especially emails that are received from outside your company’s domain. Most importantly, don’t open suspicious files or links,” warns the research paper. 

MORE ON CYBERSECURITY

READ MORE HERE