Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Use of Common Malware in Operation Targeting Energy Sector Makes Attribution Difficult

Researchers at cybersecurity firm Intezer have been monitoring a campaign that appears to be mainly aimed at the energy sector, but attribution to a known threat group is made difficult by the fact that the operation involves several common malware families.

Researchers at cybersecurity firm Intezer have been monitoring a campaign that appears to be mainly aimed at the energy sector, but attribution to a known threat group is made difficult by the fact that the operation involves several common malware families.

The threat actor is attempting to deliver its malware using spear-phishing emails that are customized for the employees of each targeted organization. The emails come from spoofed or typosquatted addresses in an effort to increase their chances of success.

“The contents and sender of the emails are made to look like they are being sent from another company in a relevant industry offering a business partnership or opportunity,” Intezer explained.

The campaign started at least one year ago and it has targeted international companies in South Korea — this country appears to be the primary target — the United States, the United Arab Emirates, and Germany.

While the operation appears to focus on the energy sector, the attackers have sent their malicious emails to organizations in several sectors, including energy, oil and gas, IT, manufacturing, and media.

Suppliers for the energy sector have also been targeted, which could indicate that these attacks are only the initial stage of a larger campaign.

Advertisement. Scroll to continue reading.

“In the event of a successful breach, the attacker could use the compromised email account of the receipt to send spear phishing emails to companies that work with the supplier. Thus using the established reputation of the supplier to go after more targeted entities,” Intezer said.

The spear-phishing emails carry IMG, ISO or CAB files that are often disguised as PDF documents — the attackers use these formats in an effort to evade email security products. When these files are opened, a piece of malware is executed on the victim’s device.

The campaign involves several widely used malware families, many of which have been around for years and are offered through a malware-as-a-service (MaaS) model. The list includes Formbook, Agent Tesla, Loki, Snake Keylogger and AZORult. These pieces of malware enable the attackers to steal sensitive information from compromised systems.

Intezer told SecurityWeek that the use of MaaS malware is the main reason why it has not been able to link this campaign to a known threat actor.

“[The use of several MaaS threats] helps their activity blend in with the noise of other actors using the same types of malware,” said Intezer researcher Ryan Robinson. “We were also not able to link the attacker network infrastructure to any previous campaigns.”

Intezer has published a blog post that provides several examples of emails sent out as part of the campaign and it has also shared indicators of compromise (IoCs).

Related: Iran-Linked RAT Used in Recent Attacks on European Energy Sector

Related: Energy Sector Most Impacted by ICS Flaws, Attacks

Related: South Korean Atomic Energy Research Institute Confirms Cyberattack

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.