A new wave of spear-phishing emails masquerading as legitimate procurement and accounting letters have hit over 400 industrial organizations, according to Kaspersky Lab.
Data collected by Kaspersky showed that the malware associated with the campaign attacked nearly 800 company PCs across various industries. The attacks, which are ongoing, attempt to steal money and confidential data from the targeted organizations, which include oil and gas to metallurgy, energy, construction and logistics.
The spear-phishing emails, Kaspersky’s security researchers discovered, are tailored with “content that corresponded to the profile of the attacked organizations and took into account the identity of the employee – the recipient of the letter.”
“This suggests that the attacks were carefully prepared and that criminals took the time to develop an individual letter for each user,” the researchers say.
The emails either contain malicious attachments designed to silently install modified legitimate software onto the victim’s machine, such as TeamViewer or Remote Manipulator System/Remote Utilities (RMS), or try to trick victims into following external links and downloading malicious objects from there.
Analysis of the attacks has revealed the use of various techniques to mask the presence of malware on the system. Incidents involving RMS software relied on exfiltrating data over email, while those abusing legitimate TeamViewer software sent the data directly to a command and control (C&C) server.
The main goals of these attacks is to steal money from the victim organizations’ accounts. After gaining access to a victim’s system and gathering required information by accessing documents and financial and accounting software, the attackers would engage in various financial fraud operations, such as spoofing the bank details used to make payments.
When needed, the attackers would also upload additional malware onto the compromised machines, specifically crafted for each attack. They have been using spyware, remote administration tools to expand their control over the infected systems, Mimikatz, and malware to exploit different vulnerabilities in the operating system.
Some of the malicious programs found on compromised machines includes the Babylon RAT, Betabot/Neurevt, AZORult stealer, Hallaj PRO Rat families. These allowed attackers to log keystrokes, take screenshots, collect system information, download additional malware, steal passwords and crypto-currency wallets, intercept traffic, and conduct distributed denial of service (DDoS) attacks.
In some attacks, the remote administration tool called RemoteUtilities was used to remotely control the infected system, transfer files, manage running applications, manage hardware, remote shell, capture screenshots and screen videos, and record audio and video.
While the attacks did not appear to concentrate on companies in a specific industry or sector, the actors did focus on compromising systems belonging to industrial companies. Furthermore, most of the organizations that were hit are located in Russia, Kaspersky said.
“The attackers demonstrated a clear interest in targeting industrial companies in Russia. Based on our experiences, this is likely to be due to the fact that their level of cybersecurity awareness is not as high as it is in other markets, such as financial services. That makes industrial companies a lucrative target for cybercriminals – not only in Russia, but across the world,” Vyacheslav Kopeytsev, security expert, Kaspersky Lab, said.
Related: Five Threat Groups Target Industrial Systems: Dragos
Related: Industrial Networks Easy to Hack From Corporate Systems: Study

More from Ionut Arghire
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- Latitude Financial Services Data Breach Impacts 300,000 Customers
Latest News
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
