Bitdefender researchers have recently found spearphishing campaigns, either impersonating a well-known Egyptian engineering contractor or a shipment company, dropping the Agent Tesla spyware Trojan. The impersonated engineering contractor (Enppi – Engineering for Petroleum and Process Industries) has experience in onshore and offshore projects in oil and gas, with attackers abusing its reputation to target the energy industry in Malaysia, the United States, Iran, South Africa, Oman and Turkey, among others, based on Bitdefender telemetry. The second campaign, impersonating the shipment company, used legitimate information about a chemical/oil tanker, plus industry jargon, to make the email believable when targeting victims from the Philippines.
Oil & gas has been under tremendous stress in recent weeks, as the global COVID-19 pandemic lowered oil demand. Oil prices per barrel have dropped by more than half to the lowest since 2002. However, a disruptive dispute over oil production between Russia and Saudi Arabia ended with an agreement at the recent meeting between the OPEC+ alliance and the Group of 20 nations, aiming to slash oil production output and balance prices.
While the malware payload itself is not as sophisticated as those used in more advanced and targeted attacks, the fact that they’ve been orchestrated and executed during this time, and before the “historic OPEC+ deal”, suggests motivation and interest in knowing how specific countries plan to address the issue.
Cybercriminals are often opportunistic and leverage popular media topics in spearphishing campaigns that usually target large numbers of victims. However, we recently found a campaign that seems to specifically target the oil & gas sector, based on a telemetry spike on March 31st. Interestingly, the payload is a spyware Trojan that packs keylogging capabilities, and has not been associated with oil & gas spearphishing campaigns in the past.
The second campaign that impersonated a shipping company seems to have started on April 12 and targeted only a handful of shipping companies based in the Philippines over the course of two days.
Carefully Crafted Spearphishing
The spearphishing email mimics Egyptian state oil company Engineering for Petroleum and Process Industries (Enppi) and claims to invite the recipient to submit a bid for equipment and materials, as part of a project (Rosetta Sharing Facilities Project) on behalf of a well-known gas company (Burullus).
The Agent Tesla spyware Trojan has reportedly been around since 2014, but has undergone constant improvements and updates. It reportedly operates under a malware-as-a-service offering, with its developers offering various pricing tiers based on different licensing models. Agent Tesla operators seem to have stayed in business for quite some time
Some of its most known and popular capabilities involve stealth, persistence and security evasion techniques that ultimately enable it to extract credentials, copy clipboard data, perform screen captures, form-grabbing, and keylogging functionality, and even collect credentials for a variety of installed applications.
Security researchers have already documented the full extent of Agent Tesla’s capabilities in various pieces of research. What’s interesting is that, until now, it has not been associated with campaigns targeting the oil & gas vertical.