Cyber criminals are targeting energy, oil and gas, and other companies around the world with a phishing campaign designed to deliver malware capable of stealing usernames, passwords and other sensitive information in what's believed to be the first stage of a wider campaign.
Detailed by cybersecurity company Intezer, the phishing campaign has been active for at least a year and those behind it appear to have put a lot of effort into making the phishing emails look as legitimate as possible.
The phishing emails include references to executives, addresses of offices, official logos and requests for quotations, contracts and refer to real projects in order to look authentic.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Cyber criminals have sent the emails to international companies in the oil and gas, energy, manufacturing and technology sectors around the world, with targets including companies in the United States, United Arab Emirates, Germany and South Korea.
In one case detailed by researchers, the phishing email referred to a specific power plant project as a lure.
This phishing email and others invite the victim to click on an attachment designed to look like a PDF but it is actually an IMG, ISO, or CAB file which redirects users to an executable file – if this is run, it will install malware on the PC.
Several different forms of Remote Access Tools (RATs) and information-stealing malware are being deployed in these attacks, including Formbook, Agent Tesla and Loki. Many of these are malware-as-a-service operations, meaning that those behind the phishing attacks are leasing malware, rather than developing it themselves.
"It appears that the use of malware-as-a-service threats helps blend in with the noise of other malicious activity. It appears that they are casting a wide net with these types of threats and also targeting a lot of small-to-medium-sized suppliers. Both might also indicate that this is the first stage in what may be wider activity," Ryan Robinson, a security researcher at Intezer, told ZDNet.
SEE: This new ransomware group claims to have breached over 30 organisations so far
It's currently unknown who exactly is behind the phishing attacks, but Robinson said their methods "show a decent level of sophistication."
While some of the infrastructure around the attacks has been removed, it's likely that the phishing campaign remains active.
"Treat emails with awareness and caution, especially emails that are received from outside your company's domain. Most importantly, don't open suspicious files or links," warned the research paper.
MORE ON CYBERSECURITY