Use of Common Malware in Operation Targeting Energy Sector Makes Attribution Difficult

Researchers at cybersecurity firm Intezer have been monitoring a campaign that appears to be mainly aimed at the energy sector, but attribution to a known threat group is made difficult by the fact that the operation involves several common malware families.

The threat actor is attempting to deliver its malware using spear-phishing emails that are customized for the employees of each targeted organization. The emails come from spoofed or typosquatted addresses in an effort to increase their chances of success.

“The contents and sender of the emails are made to look like they are being sent from another company in a relevant industry offering a business partnership or opportunity,” Intezer explained.

The campaign started at least one year ago and it has targeted international companies in South Korea — this country appears to be the primary target — the United States, the United Arab Emirates, and Germany.

While the operation appears to focus on the energy sector, the attackers have sent their malicious emails to organizations in several sectors, including energy, oil and gas, IT, manufacturing, and media.

Suppliers for the energy sector have also been targeted, which could indicate that these attacks are only the initial stage of a larger campaign.

“In the event of a successful breach, the attacker could use the compromised email account of the receipt to send spear phishing emails to companies that work with the supplier. Thus using the established reputation of the supplier to go after more targeted entities,” Intezer said.

The spear-phishing emails carry IMG, ISO or CAB files that are often disguised as PDF documents — the attackers use these formats in an effort to evade email security products. When these files are opened, a piece of malware is executed on the victim’s device.

The campaign involves several widely used malware families, many of which have been around for years and are offered through a malware-as-a-service (MaaS) model. The list includes Formbook, Agent Tesla, Loki, Snake Keylogger and AZORult. These pieces of malware enable the attackers to steal sensitive information from compromised systems.

Intezer told SecurityWeek that the use of MaaS malware is the main reason why it has not been able to link this campaign to a known threat actor.

“[The use of several MaaS threats] helps their activity blend in with the noise of other actors using the same types of malware,” said Intezer researcher Ryan Robinson. “We were also not able to link the attacker network infrastructure to any previous campaigns.”

Intezer has published a blog post that provides several examples of emails sent out as part of the campaign and it has also shared indicators of compromise (IoCs).

Related: Iran-Linked RAT Used in Recent Attacks on European Energy Sector

Related: Energy Sector Most Impacted by ICS Flaws, Attacks

Related: South Korean Atomic Energy Research Institute Confirms Cyberattack