Spearphishing campaigns target oil, gas companies with spyware


Level 71
Content Creator
Malware Hunter
Aug 17, 2014
Cybercriminals are targeting the oil and gas industry sector with highly targeted spearphishing campaigns impersonating shipment companies and engineering contractors while attempting to infect their targets with Agent Tesla info-stealer malware payloads.

Agent Tesla is a .Net-based and commercially available info-stealing program active since at least 2014 that comes with keylogging and remote access Trojan (RAT) capabilities. This info-stealer is also used for collecting system info, for stealing clipboard contents, as well as for killing malware analysis related processes and antivirus solutions.

What makes these campaigns stand out is the fact that this is the first time that Agent Tesla has been deployed as part of attacks targeting the oil & gas vertical.

While the attacks aren't as sophisticated as others that have previously targeted energy companies, their timing is on point given that they were active before and during a week-long marathon of meetings and calls between the OPEC+ alliance and the Group of 20 nations that ended with a historic deal to cut the global petroleum output.

This "suggests motivation and interest in knowing how specific countries plan to address the issue," as detailed in a report shared in advance with BleepingComputer by researchers at Bitdefender who spotted and analyzed these attacks.

In one of the spearphishing campaigns, the threat actors impersonate and abuse the reputation of the Egyptian state oil company ENPPI (Engineering for Petroleum and Process Industries), an engineering contractor with experience in both onshore and offshore oil and gas projects.

"The second campaign, impersonating the shipment company, used legitimate information about a chemical/oil tanker, plus industry jargon, to make the email believable when targeting victims from the Philippines," Bitdefender's report reads.