Spearphishing attacks hit the oil and gas industry sector

Hackers launched spear-phishing attacks against organizations in the oil and gas industry sector spreading the Agent Tesla info-stealer malware.

Crooks are targeting organizations in the oil and gas industry sector with targeted spearphishing campaigns impersonating shipment companies and engineering contractors. The attacks aim at infecting victims with the infamous Agent Tesla info-stealer malware.

Agent Tesla is a .Net-based info-stealing malware that was first spotted in 2014, it is used to spy on the victims by collecting keystrokes, system clipboard, screenshots, and credentials from the infected system. To do this, the spyware creates different threads and timer functions in the main function.

This info-stealer is also able to kill processes associated with malware analysis related processes and antivirus solutions.

Experts pointed out that this is the first time that Agent Tesla has been employed in attacks targeting the oil and gas vertical.

The experts continue to observe a spike in the number of attacks against oil & gas, as the global COVID-19 pandemic lowered oil demand.

“However, a disruptive dispute over oil production between Russia and Saudi Arabia ended with an agreement at the recent meeting between the OPEC+ alliance and the Group of 20 nations, aiming to slash oil production output and balance prices.” reads the analysis published by Bitdefender.

“While the malware payload itself is not as sophisticated as those used in more advanced and targeted attacks, the fact that they’ve been orchestrated and executed during this time, and before the “historic OPEC+ deal”, suggests motivation and interest in knowing how specific countries plan to address the issue.”

This circumstance suggests that attackers could be interested in gathering information on how targeted countries will address the deal.

Experts tracked several attacks, in a spearphishing campaign the attackers either impersonated a well-known Egyptian engineering contractor (Enppi – Engineering for Petroleum and Process Industries) or a shipment company. The contractor is well known in the energy industry in several countries, including Malaysia, the United States, Iran, South Africa, Oman, and Turkey.

Bitdefender also tracked another campaign aimed at organizations in the Philippines in which attackers impersonated the shipment company and used legitimate information about a chemical/oil tanker, plus industry jargon.

The first campaign monitored by Bitdefender begun on March 31 and targeted organizations from Malaysia, Iran, and the United States.

The campaign that impersonated a shipping company targeted only a limited number of shipping companies based in the Philippines.

Experts believe that the attackers have a deep understanding of the victim’s profile and used well-crafted messages to trick them into opening the malicious attachments.

In all the attacks hackers used weaponized attachments to deliver the Agent Tesla info-stealer to compromise victims’ systems.

“However, these campaigns seem to deliver the Agent Tesla spyware Trojan instead, and beyond just the oil & gas sector, they also target other energy verticals that have been tagged as critical during this Coronavirus pandemic.” continues the analysis.

“Analyzing the profile of the affected victims, we found them activating in oil & gas, charcoal processing, hydraulic plants, manufacturers of raw materials, and transporters of large merchandise.”

According to Bitdefender, hackers also targeted organizations in oil & gas, charcoal processing, hydraulic plants, manufacturers of raw materials, and transporters of large merchandise.

“Starting October 2019, the global evolution of cyberattacks on the energy industry has steadily increased on a monthly basis, peaking in February 2020,” Bitdefender concludes.

“With over 5,000 malicious reports from companies that operate in the energy industry, cybercriminals seem to have taken a keen interest in this vertical, perhaps as it has become more important and strategic after recent oil price fluctuations.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – energy, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]