Cyberattacks on Oil and Gas Firms Launched with no Malware at all

Oil and gas industry targeted by hackers with a genuine looking windows file, not a malware. The attacks are ongoing for about two years.

A unique targeted attack being underway for about two consecutive years exploits Windows file functions that look legitimate and a couple of homemade scripts – but not malware – in order to infiltrate firm in the gas & oil maritime transportation sector.

The attack was initially discovered by Panda Labs’ security researcher in the beginning of last year that got escape from Antivirus software, and managed to hit almost 10 companies in the gas & oil industry ever since it was launched in 2013 (August). What attackers tend to do here is stealing oil cargo organizations’ information and then utilizing it to pretend as legitimate companies in scam traps against the targeted oil brokers.

Panda Labs technical director, Luis Corrons says, “This is an innovative targeted attack” but not an APT (advance persistent threat) or cyber espionage.

“They use no malware; I’m not sure if they’re not using malware because they don’t know how to … They were stealing credentials without malware.”

This attack campaign, named as Phantom Menace (by Panda), was initially spotted by the cyber security squad at UK based oil and gas transportation company.  It actually started with a promising spear-phishing emails containing a phony file in PDF format that when clicked/opened by the targeted user, was found to be empty.

“It has a self-destructor file, and it creates a folder where it puts files inside. It runs one of the batch files and that’s it. There are no malicious” code tools, said Luis.

Panda security managed to root-out the stolen information/files out of an FTP-server being used by the alleged attackers, and drill-down into the particular attack itself that turn out to be a brand new spin onto the Nigerian scam. Here’s how the attack works (in a nutshell): the alleged scammers contact targeted oil broker and offer them any amount from 1 to 2 million BLCO (Bonny Light Crude Oil ) barrels – at bargain able price right from Bonny (a Nigerian town) , which is known for the oil having lower sulfur content making it comparatively low corrosive grade product.

Corrons says, “They have to show proof the product, quantity and quality of the oil, and they ask for $50- 100,000 in payment to close the agreement”. “They [the broker] goes there, and there is nothing,” no oil or supplier, he added.

Most of the victim organizations were in Europe, including Spain, Germany, and Belgium. There also were victims in Asia, he says.

“Our guess here is that they were interested in [oil cargo transportation company] user credentials so they can steal and copy real certificates from those companies” that they can use in the scam to pose as legitimate oil firms, says Corrons.

The marching infiltration of victim systems as soon as the phony file (PDF format) is clicked/opened works such as: an executable (.exe) file having an Adobe Acrobat-Reader symbolic icon extracts itself, creates a folder, and then moves files (six in number) into that particular folder. A file series that was planted gets to run, and at last makes use of a .bat format file in order to modify Windows registry as such whenever computer gets started, it runs that (.bat format) file to get the usernames & passwords from the browser and mail client, and then ultimately save them in a .text file.

Some additional steps are needed to mask folders, which include disabling Windows firewall. At last, FTP is used to upload files (all those stolen ones) onto attacker’s FTP server.

Corrons says, “Why would you bother to buy or build a Trojan,” which could be detected. Now obviously, the legitimate looking files tend to fly just under the radar.

865 is the number of total unique files (of stolen info) Corrons alongside his team discovered within the FTP server, and all of them were purely from oil and gas industry.

Written by: Ali Qamar, Founder/Chief Editor at

Author Bio:
Ali Qamar is an Internet security research enthusiast who enjoys “deep” research to dig out modern discoveries in the security industry. He is the founder and chief editor at Security Gladiators, an ultimate source for cyber security. To be frank and honest, Ali started working online as a freelancer and still shares the knowledge for a living. He is passionate about sharing the knowledge with people, and always try to give only the best. Follow Ali on Twitter @AliQammar57

Pierluigi Paganini

(Security Affairs – oil and gas industry, cyber security)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

DORA Compliance Strategy for Business Leaders

In January 2025, European financial and insurance institutions, their business partners and providers, must comply…

31 mins ago

CISA adds Android Pixel, Microsoft Windows, Progress Telerik Report Server bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Android Pixel, Microsoft Windows, Progress Telerik Report…

8 hours ago

City of Cleveland still working to fully restore systems impacted by a cyber attack

Early this week, the City of Cleveland suffered a cyber attack that impacted multiple services.…

13 hours ago

Two Ukrainians accused of spreading Russian propaganda and hack soldiers’ phones

Ukraine’s security service (SBU) detained two individuals accused of supporting Russian intelligence in spreading propaganda…

13 hours ago

Google fixed an actively exploited zero-day in the Pixel Firmware

Google is warning of a security vulnerability impacting its Pixel Firmware that has been actively…

1 day ago

Multiple flaws in Fortinet FortiOS fixed

Fortinet released security updates to address multiple vulnerabilities in FortiOS, including a high-severity code execution…

1 day ago

This website uses cookies.