- Aug 17, 2014
A sophisticated campaign targeting large international companies in the oil and gas sector has been underway for more than a year, researchers said, spreading common remote access trojans (RATs) for cyber-espionage purposes.
According to Intezer analysis, spear-phishing emails with malicious attachments are used to drop various RATs on infected machines, including Agent Tesla, AZORult, Formbook, Loki and Snake Keylogger, all bent on stealing sensitive data, banking information and browser information, and logging keyboard strokes.
While energy companies are the main targets, the campaign also has gone after a handful of organizations in the IT, manufacturing and media sectors, researchers said. Victims have been found around the world, including in Germany, United Arab Emirates (UAE) and the United States, but the primary targets are South Korean companies.
“The attack also targets oil and gas suppliers, possibly indicating that this is only the first stage in a wider campaign,” researchers noted in a Wednesday posting. “In the event of a successful breach, the attacker could use the compromised email account of the recipient to send spear-phishing emails to companies that work with the supplier, thus using the established reputation of the supplier to go after more targeted entities.”
One of the targeted companies is “drastically” different from the others, researchers noted, which may offer a clue as to the nature of the cyberattackers.
“The company is FEBC, a religious Korean Christian radio broadcaster that reaches other countries outside of South Korea, many of these countries which downplay or ban religion,” according to Intezer. “One of FEBC’s goals is to subvert the religion ban in North Korea.”
A global effort to steal information from energy companies is using sophisticated social engineering to deliver Agent Tesla and other RATs.