Weeks before US oil contract prices went negative, a spear-phishing crew went after oil firms. What did they get?

Who wants to know about their biz plans? Someone determined

As American crude oil crashed on Monday, leading to the bizarre situation of a negative futures contract price, our attention was drawn to a spear-phishing campaign against organizations involved in global oil production.

The folks at Bitdefender today detailed a targeted espionage mission against oil and energy companies around the world. The phishing peaked on March 31, just before a planned OPEC meeting of oil-producing nations, many of which were targeted, we're told.

The lure itself appeared rather unremarkable: targets in various businesses were sent spear-phishing emails containing Windows spyware dubbed Agent Tesla disguised as an attached report or form. If opened, Agent Tesla would execute and use a Yandex mail server – smtp.yandex.com – to receive commands from its masters and reply with stolen data, presumably via email messages. These commands told the software nasty what to collect, such as password key-presses, clipboard contents, and so on, which were duly sent to whoever was behind the phishing campaign.

What is unique, in this case, is the very specific group of companies targeted, Bitdefender said. Certain key oil-producing organizations across the world were sent emails from seemingly one of their own: Egyptian oil and gas engineering firm Enppi.

"The impersonated engineering contractor (Enppi - Engineering for Petroleum and Process Industries) has experience in onshore and offshore projects in oil and gas, with attackers abusing its reputation to target the energy industry in Malaysia, the United States, Iran, South Africa, Oman and Turkey, among others," the Bitdefender Labs team said.

A second, much smaller spear-phishing operation, impersonated a Philippines-based shipping company, targeted oil and gas companies in that country.

The who and where of those targets are key to understanding the seriousness of the attack and how it tied into current events. Each of the targeted companies are in countries that are major stakeholders in the global oil market.

Image by Arak Rattanawijittakorn http://www.shutterstock.com/gallery-2364116p1.html

Google: We've blocked 126 million COVID-19 phishing scams in the past week


Following plummeting oil demand, and economic instability, amid the coronavirus pandemic, OPEC has cut production of the fossil fuel, forcing energy companies and their buyers and suppliers around the world to scramble and adapt. As supply outstrips demand, unwanted barrels of oil are piling up, forcing prices so low, some distributors are paying people to take them away.

This, it seems, is what the attackers are after; details on the strategies oil and energy companies are following to deal with the cuts.

"While the spear phishing attacks on oil and gas could be part of a business email compromise scam, the fact that it drops the Tesla Agent info-stealer suggests these campaigns could be more espionage focused," Bitdefender senior e-threat analyst Liviu Arsene told The Register.

"Threat actors that might have some stakes in oil and gas prices or developments may be responsible, especially when considering the niche targeted vertical and the ongoing oil crisis."

In other words, someone, possibly a private energy company, or a state-backed hacking group, or even a combination of the two, wants to keep tabs on how companies are dealing with the oil crisis so that they can react or even get ahead of the markets.

While the infrastructure, particularly the use of an ordinary Yandex server, could cause some speculation on the attackers being Russian, Arsene cautions not to read into the host too much, as it is fairly common for malware operators to use legit, busy services around the world to communicate.

"It's not uncommon for attackers to abuse legitimate services, such as email services or social networking platforms, for command and control," Arsene explained to El Reg.

"Communication between the victim and the attacker would go through a legitimate service, making it seem legitimate to security tools. Hackers also prefer locations where jurisdiction from law enforcement is difficult and needs an extended number of approvals to get to the server."

Admins are advised to make sure users are protected from the Agent Tesla trojan (as it has been around since 2014, most antivirus software should detect it) and, if applicable, Bitdefender has provided a list of file hashes to block and indicators of compromise in its above-linked report. ®

Broader topics

Other stories you might like

  • Google location tracking to forget you were ever at that medical clinic
    Plus: Cyber-mercenaries said to target legal world, backdoor found on web servers, and more

    In brief Google on Friday pledged to update its location history system so that visits to medical clinics and similarly sensitive places are automatically deleted.

    In this post-Roe era of America, there is concern that cops and other law enforcement will demand the web giant hand over information about its users if they are suspected of breaking the law by seeking an abortion.

    Google keeps a log of its users whereabouts, via its Location History functionality, and provides some controls to delete all or part of those records, or switch it off. Now, seemingly in response to the above concerns and a certain US Supreme Court decision, we're told Google's going to auto-delete some entries.

    Continue reading
  • Voicemail phishing emails steal Microsoft credentials
    As always, check that O365 login page is actually O365

    Someone is trying to steal people's Microsoft 365 and Outlook credentials by sending them phishing emails disguised as voicemail notifications.

    This email campaign was detected in May and is ongoing, according to researchers at Zscaler's ThreatLabz, and is similar to phishing messages sent a couple of years ago.

    This latest wave is aimed at US entities in a broad array of sectors, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain, the researchers wrote this month.

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • Europol arrests nine suspected of stealing 'several million' euros via phishing
    Victims lured into handing over online banking logins, police say

    Europol cops have arrested nine suspected members of a cybercrime ring involved in phishing, internet scams, and money laundering.

    The alleged crooks are believed to have stolen "several million euros" from at least "dozens of Belgian victims," according to that nation's police, which, along with the Dutch, supported the cross-border operation.

    On Tuesday, after searching 24 houses in the Netherlands, officers cuffed eight men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse, and a 25-year-old woman from Deventer. We're told the cops seized, among other things, a firearm, designer clothing, expensive watches, and tens of thousands of euros.

    Continue reading
  • Zscaler bulks up AI, cloud, IoT in its zero-trust systems
    Focus emerges on workload security during its Zenith 2022 shindig

    Zscaler is growing the machine-learning capabilities of its zero-trust platform and expanding it into the public cloud and network edge, CEO Jay Chaudhry told devotees at a conference in Las Vegas today.

    Along with the AI advancements, Zscaler at its Zenith 2022 show in Sin City also announced greater integration of its technologies with Amazon Web Services, and a security management offering designed to enable infosec teams and developers to better detect risks in cloud-native applications.

    In addition, the biz also is putting a focus on the Internet of Things (IoT) and operational technology (OT) control systems as it addresses the security side of the network edge. Zscaler, for those not aware, makes products that securely connect devices, networks, and backend systems together, and provides the monitoring, controls, and cloud services an organization might need to manage all that.

    Continue reading

Biting the hand that feeds IT © 1998–2022