Cybersecurity company Intezer has reported a spear-phishing campaign targeting the energy sector that has been running for close to a year. The attackers are using sophisticated social engineering techniques to spread their payloads, among which are Agent Tesla and other RATs.
Researchers say the attackers’ use of several common malware families makes attribution of this campaign to a particular threat group difficult.
The actor is sending spear-phishing emails to employees of different targeted organizations in the energy, oil & gas, and electronics industries. To make their methods more effective, the actor is using spoofed or typosquatted addresses that can be easily mistaken for legitimate ones.
“The contents and sender of the emails are made to look like they are being sent from another company in a relevant industry offering a business partnership or opportunity,” Intezer wrote in a blog post on Wednesday.
According to Intezer, the campaign started at least a year ago. It has targeted various companies mainly in South Korea, but also in the United States, the United Arab Emirates, and Germany. While the actor is mainly focused on the energy sector, they have also sent phishing emails to targets in IT, manufacturing, and media sectors.
They have conducted attacks on suppliers of the main targets, which, researchers believe, indicates that these attacks are the initial stage of a wider campaign.
“In the event of a successful breach, the attacker could use the compromised email account of the receipt to send spear-phishing emails to companies that work with the supplier. Thus using the established reputation of the supplier to go after more targeted entities,” Intezer said.
The emails contain various documents (IMG, ISO, or CAB) that are usually disguised as PDF documents in an effort to evade email security checks. Machines get infected when these files are opened by the targets. The malware can then collect and exfiltrate sensitive information.
The campaign delivers various well-known malware families that are offered through a malware-as-a-service (MaaS) model. Some of these include Agent Tesla, Loki, Formbook, and Snake Keylogger.
Intezer believes that the main reason why it was not able to link this campaign to an established threat actor is due to the use of MaaS malware.
“[The use of several MaaS threats] helps their activity blend in with the noise of other actors using the same types of malware,” said Intezer researcher Ryan Robinson. “We were also not able to link the attacker network infrastructure to any previous campaigns.”
In its blog post, Intezer provided several examples of the emails sent out as part of the campaign and indicators of compromise (IoCs).
Image: Intezer
