BP Chargemaster's Pulse rebrand let crims send IcedID banking trojan from formerly legit mailboxes
F-Secure confirms nature of email nasty to El Reg
BP Chargemaster, purveyors of sockets for electric vehicles, seemingly had its email domain hijacked by criminals who used formerly legitimate addresses to send banking trojans to customers.
Malware-laden emails were sent from corporate email addresses earlier this month – and their attachments included the IcedID credential-stealing malware.
It appears that a corporate mail server may have been left unattended after BP Chargemaster rebranded as BP Pulse at the start of December 2020. During the rebrand, the BP Chargemaster and Polar websites were replaced by bppulse.co.uk, "to avoid any confusion".
Register reader Matt received some emails from BP Chargemaster which he was certain didn't come from the company.
"I last dealt with BP Chargemaster 2 years ago in relation to fitting a chargepoint for an electric car," Matt told us, showing us copies of legitimate correspondence with an @bpchargemaster[.]com email address.
Yet when he began hearing from that sender again, the emails he received contained text such as "Hello. Attached below requires your attention," urging Matt to open an attached .zip file. Another read: "Please look at the file attached. It must be interesting." Both messages appeared to have been sent from bpchargemaster[.]com email addresses, and Matt reckoned at the time that they had passed Sender Policy Framework (SPF) validation.
We asked F-Secure to have a look at the malicious attachment sent to Matt and the firm's Calvin Gan, senior manager in its Tactical Defence Unit, told The Register: "The email is a malspam campaign spreading a new version of the IcedID banking trojan. The zip file contains a malicious Excel spreadsheet which uses the Excel 4.0 macro feature to hide its code."
He added that infosec outfit Binary Defense has a recent writeup of the trojan's latest evolution. The company found that when successfully deployed, the trojan dropped Cobalt Strike beacons and crooks then mapped out the network where the nasty had landed, stating: "IcedID is a formidable threat that makes analysis complex and challenging."
It was first uncovered in 2017 by IBM's X-Force security division, as we reported at the time.
Lost control of the domain
BP Chargemaster publicly admitted that it had lost control of the bpchargemaster[.]com domain, although it appears to be showing legitimate BP content at the time of writing. A later message from BP Chargemaster (and not the scammers), forwarded to us by Reg reader John said:
We are aware that a number of people have received emails that appear to have come from a bp Chargemaster email address. These have not been sent by us.
We no longer actively use email addresses that end in @bpchargemaster.com.
Please treat any emails you may receive from this domain as suspicious.
BP Chargemaster also advised people receiving those emails not to open them or the attachments and said it had informed the Information Commissioner's Office, while it carries out "a detailed investigation".
When asked for comment, a BP Chargemaster spokesman responded with a statement substantially identical to the email sent to customers, and did not elaborate on what had happened inside BP that caused the compromise of its email infrastructure.
F-Secure's Gan commented: "We cannot confirm if BP Chargemaster's infrastructure was compromised but it does look like [their] admittance of no longer actively using the mail address indicates that the mail server could be retired or hidden from the public."
The incident may have some similarities with one affecting London cloud firm Datrix, whose email systems were nearly used to send "several thousand" malicious messages after a staffer fat-fingeredly opened a phishing email back in 2019.
The Information Commissioner's Office was informed of the incident. ®