Written by: Nicole Fishbein and Ryan Robinson
The Intezer research team has found a sophisticated campaign, active for at least one year, targeting large international companies in the energy, oil & gas, and electronics industries. The attack also targets oil & gas suppliers, possibly indicating that this is only the first stage in a wider campaign. In the event of a successful breach, the attacker could use the compromised email account of the receipt to send spear phishing emails to companies that work with the supplier. Thus using the established reputation of the supplier to go after more targeted entities.
The attackers use typosquatted and spoofed emails to launch the attack. The campaign spreads via phishing emails tailored to employees at each company being targeted. The contents and sender of the emails are made to look like they are being sent from another company in the relevant industry offering a business partnership or opportunity. Each email has an attachment, usually an IMG, ISO or CAB file. These file formats are commonly used by attackers to evade detection from email-based Antivirus scanners. Once the victim opens the attachment and clicks on one of the contained files an information stealer is executed.
Below we describe the attack vector, the attackers’ motives and tactics used in this campaign, and how you can protect your systems from this attack.
- The campaign uses spoofed or typosquatted emails to make them look like part of a normal business-to-business (B2B) correspondence.
- The attached file is primarily an IMG, ISO or CAB file containing information stealer malware.
- The dropped malware is generally able to steal private information, log keyboard strokes and steal browsing data.
Recently, we have identified a number of IMG files with names related to the oil & gas and energy industries. Inside these image files are predominantly .NET malware. Upon further investigation the distribution method for this malware appears to be spear phishing emails, with either an IMG, ISO, or CAB file included as an attachment and sent to specific targets. The IMG/ISO files are part of the Universal Disk Format (UDF) which are disk images commonly used for DVDs. Cabinet (CAB) files are a type of archive file. In most of these emails the file name and icon of the attachment mimics a PDF. The purpose is to make the file look less suspicious, enticing the targeted individual to open and read it.
The campaign targets companies from around the world, including the United States, United Arab Emirates (UAE) and Germany, but its primary targets are South Korean companies. The targeted industries are wide-ranging but mostly focused on the energy sector.
- Oil & Gas
- Information Technology
The emails are formatted to look like valid correspondence between two companies. This extra effort made by the attacker is likely to increase the credibility of the emails and lure victims into opening the malicious attachments. The emails use social engineering tactics such as making references to executives, using physical addresses, logos and emails of legitimate companies. They also include requests for quotations (RFQ), contracts, and referrals/tenders to real projects related to the business of the targeted company.
The content of the emails demonstrates that the threat actor is well-versed in business-to-business (B2B) correspondence. The recipient email addresses of these emails range from generic email handles such as “[email protected]_company[.]com” or “[email protected]_company[.]com” to specific people within companies. This suggests that for some companies they have likely managed to gather more intelligence during reconnaissance than others.
An example of one of the emails involved in the campaign (image below) uses a combined cycle power plant (CCPP) project in Panama as a lure. The email pretends to be sent from Hyundai Engineering Co (HEC). The email asks the receiver to submit a bid for the supply of equipment in the project and states that more details and requirements can be found in the attached file (containing the malware). The email presents a strict deadline for which the request for the bid should be submitted.
Phishing email inviting recipient to participate in a project.
Upon opening the disk image file the target is presented with an executable.
Malicious file contained in the disk image.
In several emails it appears the sender domains have been typosquatted in order to increase the credibility of the spear phishing attempt. Typosquatted domains are a technique used to social engineer email recipients into thinking an email has been sent from a trusted entity. This technique is performed by registering a domain name which mimics a legitimate domain. When viewed quickly it can increase the chances of the recipient thinking that the email has been sent from a legitimate company.
In this campaign, many of the typosquatted domains mimic South Korean companies with legitimate domains in the format of <company.co.kr>. Typosquatting is achieved by registering a domain without the second level “.co” and instead registering the domain as <company-co.kr>. One example of this is the domain <hec-co.kr>, registered by the attackers to typosquat the legitimate domain for the company Hyundai Engineering (hec.co.kr). The typosquatted email from “Hyundai Engineering” invites the recipient to reply to a confidentiality agreement with respect to a refinery expansion project.
Email sent from typosquatted domain ([email protected]).
Another typosquatted email that caught our attention was supposedly sent by Barend Jenje from GustoMSC, asking to return a signed non-disclosure agreement (NDA). The attachment was just an IMG file containing a malware executable.
GustoMSC is based in The Netherlands, specializing in offshore equipment and technology for the oil & gas industry. On June 14, 2021, GustoMSC posted an alert on their site warning users that the company’s domain was being typosquatted and scammers were sending emails on behalf of their employees.
The email below references the Dunkirk offshore wind farm project to add credibility to the message. The project was granted to the Éoliennes en Mer de Dunkerque (EMD) consortium by the French government in June 2019. The consortium is made up of several companies, two of which are mentioned in the email: EDF Renouvelables and Enbridge. In recent news, the companies announced their decision to move forward with the development of the project beginning in the second half of 2021.
It would make sense then why the attackers name dropped this project, due to its recent developments and also because the offshore wind farm is under the occupation of GustoMSC.
Phishing email impersonating GustoMSC.
Many email addresses in this campaign are spoofed by the actor. Email spoofing is another tactic that is used to social engineer targets into opening emails. Email spoofing is done by sending an email with forged headers to suggest that the email is sent from a trusted or legitimate entity. An example of a spoofed email from this campaign pretends to come from a company called Haesung Tech, seen below.
Spoofed email pretending to be sent from Haesung Tech.
This email is clearly spoofed since inside the header the Sender Policy Framework (SPF) check does not pass. The reason for this is there is no DNS TXT record for haesungtech.com that defines a permitted sender. The SPF verdict is shown below.
Sender Policy Framework (SPF) verdict.
This campaign uses several known Remote Access Tools (RATs) and information stealing malware contained in the files attached to the phishing emails. Although the threats belong to different malware families, they do share a number of capabilities including: stealing private and banking information, logging keyboard strokes and stealing browsing data.
There are several known malware-as-a-service (MaaS) threats like Formbook and Agent Tesla used in this campaign. Other threats we have identified are Loki, Snake Keylogger and AZORult.
Each email has an attached file containing one or more executables encapsulated inside an IMG, ISO, or CAB file, each belonging to one of the threats mentioned above. In Windows 8 and Windows 10, simply double-clicking on virtual disk files will automatically mount its content. This feature is appealing for threat actors because it takes a small number of user clicks to execute the malware. In addition, traditional email defenders do not handle disk image files as well as more common formats such as ZIP files. Therefore, it’s more likely that the malicious emails will end up in the inbox of the recipients without being blocked. One of the emails we analyzed was allegedly sent by Rashid Mahmood from China Petroleum Engineering & Construction Corporation (CPECC), a subsidiary of the China National Petroleum Corporation. The recipient of the phishing email works for a company called GS E&C, a Korean EPC contractor engaged in various global power plant projects.
Phishing email sent to GS E&C.
The email contains a reference to the expansion project of an oil field in Abu Dhabi called BAB. BAB is the oldest operating field in the United Arab Emirates (UAE). The receiver of this email, who works at GS E&C, is invited to submit both technical and commercial offers for the items described in the attached material take off (MTO) document (below).
Second part of the phishing email sent to employee at GS E&C.
There is a typo in the email below. Instead of “regional headquarters” the address says “Reginal Headquarter.” In addition to this mistake, the address provided is the actual address of CPECC in UAE.
Phishing email with a typo.
Though the attached file has a seemingly complementary name related to the contents of the email, it is actually an IMG file that contains Snake Keylogger malware. Once the user double-clicks on the IMG file, the content of the file is mounted, as shown below, and the user can click the file to be executed.
Mounted disk image file with malicious Snake Keylogger binary masquerading as PDF.
To bypass detection from standard Antiviruses, the execution of the malware is fileless, meaning that it is loaded into memory without creating a file on disk. In this case, it performs the same loading and execution process used to load Agent Tesla as reported by BlackBerry.
We uploaded the attached file to Intezer Analyze. The file contains a malicious PE file that shares code with other Snake Keylogger samples.
Genetic analysis of the ISO sample containing Snake Keylogger.
Targeting Companies in Religion Media Business
Among the targeted companies there is one that differs drastically from the others. The company is FEBC, a religious Korean Christian radio broadcaster that reaches other countries outside of South Korea, many of these countries which downplay or ban religion. One of FEBC’s goals is to subvert the religion ban in North Korea.
Treat emails with awareness and caution, especially emails that are received from outside your company’s domain. Most importantly, don’t open suspicious files or links.
Fileless malware is now very common. A recent blog by Panda Security states that fileless malware rates in 2020 increased by 888% over 2019. Therefore, it is important to ensure that your organization’s security strategy includes software that is able to detect malware injected and executed in-memory. In case you come across a suspicious file, you can upload it to Intezer Analyze to get an immediate verdict (trusted or malicious) and malware family classification if it is indeed a malicious file. The platform supports a wide range of file formats, including Windows and Linux executables, scripts and documents.
To summarize, don’t click on suspicious emails and make sure you have a solution that handles fileless malware in-memory effectively. Intezer Analyze can help you with the latter.
Protect your environment from Ransomware attacks.
Educating yourself and your employees with Cyber Security Awareness Training is the best way to start ensuring your business is protected from cyber-attacks.
Learn more about how The Cloud Consultancy can address and manage your businesses Cyber Security headaches. We can now provision boutique, pro-active, IT support services 24/7/365