Connect with us

Hi, what are you looking for?



Use of Common Malware in Operation Targeting Energy Sector Makes Attribution Difficult

Researchers at cybersecurity firm Intezer have been monitoring a campaign that appears to be mainly aimed at the energy sector, but attribution to a known threat group is made difficult by the fact that the operation involves several common malware families.

Researchers at cybersecurity firm Intezer have been monitoring a campaign that appears to be mainly aimed at the energy sector, but attribution to a known threat group is made difficult by the fact that the operation involves several common malware families.

The threat actor is attempting to deliver its malware using spear-phishing emails that are customized for the employees of each targeted organization. The emails come from spoofed or typosquatted addresses in an effort to increase their chances of success.

“The contents and sender of the emails are made to look like they are being sent from another company in a relevant industry offering a business partnership or opportunity,” Intezer explained.

The campaign started at least one year ago and it has targeted international companies in South Korea — this country appears to be the primary target — the United States, the United Arab Emirates, and Germany.

While the operation appears to focus on the energy sector, the attackers have sent their malicious emails to organizations in several sectors, including energy, oil and gas, IT, manufacturing, and media.

Suppliers for the energy sector have also been targeted, which could indicate that these attacks are only the initial stage of a larger campaign.

“In the event of a successful breach, the attacker could use the compromised email account of the receipt to send spear phishing emails to companies that work with the supplier. Thus using the established reputation of the supplier to go after more targeted entities,” Intezer said.

Advertisement. Scroll to continue reading.

The spear-phishing emails carry IMG, ISO or CAB files that are often disguised as PDF documents — the attackers use these formats in an effort to evade email security products. When these files are opened, a piece of malware is executed on the victim’s device.

The campaign involves several widely used malware families, many of which have been around for years and are offered through a malware-as-a-service (MaaS) model. The list includes Formbook, Agent Tesla, Loki, Snake Keylogger and AZORult. These pieces of malware enable the attackers to steal sensitive information from compromised systems.

Intezer told SecurityWeek that the use of MaaS malware is the main reason why it has not been able to link this campaign to a known threat actor.

“[The use of several MaaS threats] helps their activity blend in with the noise of other actors using the same types of malware,” said Intezer researcher Ryan Robinson. “We were also not able to link the attacker network infrastructure to any previous campaigns.”

Intezer has published a blog post that provides several examples of emails sent out as part of the campaign and it has also shared indicators of compromise (IoCs).

Related: Iran-Linked RAT Used in Recent Attacks on European Energy Sector

Related: Energy Sector Most Impacted by ICS Flaws, Attacks

Related: South Korean Atomic Energy Research Institute Confirms Cyberattack

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...