An unknown group has been conducting a year-long spear-phishing campaign against energy companies and other industries around the world.
The campaign has been happening for at least a year and targets companies and employees in the gas and oil, energy, information technology, media and electronics industries around the world, according to new research from Intezer, though many of the affected businesses are located in South Korea. The spear-phish emails leverage both typosquatting and spoofing to make the incoming emails look like they’re coming from established companies. They also reference executives from the company by name and include legitimate business addresses and company logos.
Many of the spear-phishing emails demonstrate how the threat actor appears to have done their homework, filled with procurement language jargon, referencing real ongoing projects the impersonated company is working on and inviting the target to bid for a portion of the work by clicking on an attachment.
That attachment – which is designed to mimic the appearance of a PDF but is usually an IMG, ISO or CAB file — contains information-stealing malware to steal banking data, log keystrokes and collect browsing data. The actors don’t appear to rely on a single type or family of malware, instead using a variety of remote access tools and other malware-as-a-service, like Agent Tesla and Formbook. Like many successful phishing lures, they’re designed to give a financial incentive to the victim to click on the link and create a sense of urgency in responding.
“It seems like part of the incentive was that the receiving component could think that there’s some money coming their way,” said Ryan Robinson, a security researcher at Intezer, in an interview.
In one example, a fake email account pretending to be from Hyundai Engineering Inc. mentions a real power plant project in Panama, is filled with procurement jargon and gives short turnaround deadlines for expressing interest in the project (48…