A sophisticated campaign aimed at big multinational oil and gas firms has been running for more than a year, spreading common remote access trojans (RATs) for cyber-espionage objectives, as per researchers.
According to Intezer analysis, spear-phishing emails with malicious links are used to deploy RATs such as Agent Tesla, AZORult, Formbook, Loki, and Snake Keylogger on infected computers all with the goal of stealing confidential data, banking information, and browser information, as well as logging keyboard strokes.
While energy corporations are the primary targets, the campaign has also targeted a few companies in the IT, industrial, and media industries, as per researchers. Its targets are primarily based in South Korea, but include companies from the United States, United Arab Emirates, and Germany, too.
The report states, “The attack also targets oil and gas suppliers, possibly indicating that this is only the first stage in a wider campaign. In the event of a successful breach, the attacker could use the compromised email account of the recipient to send spear-phishing emails to companies that work with the supplier, thus using the established reputation of the supplier to go after more targeted entities.”
According to Intezer, “The company is FEBC, a religious Korean Christian radio broadcaster that reaches other countries outside of South Korea, many of these countries which downplay or ban religion. One of FEBC’s goals is to subvert the religion ban in North Korea.”
Modus Operandi of the Attack:
According to analysts, the attackers launch the attack by sending emails customized to the staff at each of the companies targeted. The email addresses of the recipients range from basic (info@target company[.]com, sales@target company[.]com) to particular persons inside organizations, implying various levels of reconnaissance.
The email addresses used in the "From" box are typo squatted or forged to provide the impression of authenticity. They are designed to seem like emails from real organizations that the targets are familiar with. Typosquatting fools email recipients into believing that an email has been sent from a trusted entity.
“The contents and sender of the emails are made to look like they are being sent from another company in the relevant industry offering a business partnership or opportunity,” according to Intezer.
Other attempts to appear official include making references to executives and utilizing the physical addresses, logos, and emails of genuine organizations in the text of the emails. As per the posting, these also contain requests for quotes (RFQ), contracts, and referrals/tenders for genuine projects linked to the targeted company's business.
The file name and icon of the attachment in the majority of these emails seem like a PDF. Intezar experts stated the goal is to make the file appear less suspicious, entice the targeted user to open and read it.
An information stealer is executed when the victim opens the attachment and clicks on the files it contains.
Intezer also highlighted that the malware's execution is fileless, meaning it is loaded into memory without generating a file on disc, in order to avoid detection by standard antivirus.
A Social-Engineering Bonanza:
According to experts, while the technological parts of the operation are pretty standard, cyber attackers excel when it comes to social engineering and completing their study on their targets.
One email, for example, claimed to be from Hyundai Engineering and mentioned an actual combined cycle power plant project in Panama. The email instructs the recipient to submit a bid for the project's equipment supply and includes more data and requirements "in the attached file" (containing the malware). In addition, the communication specifies a firm deadline for proposal submissions.
Another email examined by Intezer researchers was sent to an employee of GS E&C, a Korean contractor involved in a number of worldwide power plant projects. The email requested both technical and commercial proposals for the goods listed in the attached, which was ostensibly a material take-off (MTO) document.
Researchers stated, “The content of the emails demonstrates that the threat actor is well-versed in business-to-business (B2B) correspondence. This extra effort made by the attacker is likely to increase the credibility of the emails and lure victims into opening the malicious attachments.”