Researchers from DeNexus have discovered around three campaigns in the wild that are adopting the same or matching spear phishing email templates. The campaigns were first spotted during investigations of targeted attacks on the oil and gas supply chain industries in the Middle East.
Headquartered in California, DeNexus delivers cyber risk modeling for industrial networks. It discovered additional details of the attack, and identified new victims of the threat actor. The firm also confirmed that the campaigns carried out have evolved over time, and the threat actor is still active with more campaigns.
“We currently know that the threat actor is trying to collect information from the targeted companies and much of the time uses information stealers as final payloads,” DeNexus said in a statement on Wednesday. “In most cases, the threat actor is using AgentTesla malware as the information stealer. It was found that seven industrial companies were compromised and ten more were targeted located in Middle East, APAC, Europe and North America.”
The evolving threat landscape has led to changes in the malware distribution strategy. More recent campaigns use an email with a PDF attachment, which contains a link to a ZIP file hosted on a server controlled by the hacker, or in a third-party file hosting service, DeNexus said.
Apart from modifying distribution methods, the nature of the spear phishing campaigns have also become more sophisticated. The hacker can now register a domain like the original victim’s domain, victim’s trusted partner, or supplier in order to make the email look even more real.
A report released by Zscaler last September detailed the targeted cyber attack on oil and gas supply chain industries in the Middle East. It warned users to be cautious when receiving emails out of the blue, even if those emails appear to be related to something that they could be interested in, such as a legal tender for a project that might appear relevant. Given the approach used by these hackers, it recommended that users ‘always be wary of links embedded inside file formats such as PDF since these links could lead to download of malicious files on your system.’
“Changes in the behavior of attackers indicate that they need to reduce the level of detection of their malicious actions at the first stages of attacks. It is very important to track the evolution of such behavior in order to increase protection and timely assess the damage from such cyber attacks,” said Markel Picado, DeNexus’ malware analyst and threat hunter.
Data released last week from IBM Security X-Force disclosed that data theft and leak emerged as the top attack type for the energy sector, accounting for 35 percent of all attacks in this sector, and underscoring the threat from information-stealing malware and phishing attacks. Many of these attacks were against oil and gas companies in particular, it added.
Throughout 2020, industrial cybersecurity firm Dragos identified new EKANS activity targeting multiple verticals including electric, oil and gas, medical, pharmaceutical manufacturing, and automotive.
In March, the Parasite threat group leveraged Citrix vulnerability CVE-2019-19781 in intrusions targeting North American electric and oil and gas entities, according to Dragos. This was worrisome as the Parisite group conducts initial access operations potentially enabling future disruptive operations associated with Magnallium group, which exemplifies the critical need to track any groups that tried to access ICS (industrial control systems) through IT networks, it added.
Last April, Bitdefender researchers stumbled upon two spearphishing campaigns that either impersonated an Egyptian engineering contractor or a shipment company, and dropped the Agent Tesla spyware trojan. The malware collects sensitive information and different types of credentials and sends them back to the command and control (C&C) server. The oil and gas supply chain was already under considerable strain at the time, as the global COVID-19 pandemic lowered oil demand.