Detailed by cybersecurity company Intezer, the phishing campaign has been active for at least a year and those behind it appear to have put a lot of effort into making the phishing emails look as legitimate as possible. The phishing emails include references to executives, addresses of offices, official logos and requests for quotations, contracts and refer to real projects in order to look authentic. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) Cyber criminals have sent the emails to international companies in the oil and gas, energy, manufacturing and technology sectors around the world, with targets including companies in the United States, United Arab Emirates, Germany and South Korea. In one case detailed by researchers, the phishing email referred to a specific power plant project as a lure. This phishing email and others invite the victim to click on an attachment designed to look like a PDF but it is actually an IMG, ISO, or CAB file which redirects users to an executable file – if this is run, it will install malware on the PC. Several different forms of Remote Access Tools (RATs) and information-stealing malware are being deployed in these attacks, including Formbook, Agent Tesla and Loki. Many of these are malware-as-a-service operations, meaning that those behind the phishing attacks are leasing malware, rather than developing it themselves. “It appears that the use of malware-as-a-service threats helps blend in with the noise of other malicious activity. It appears that they are casting a wide net with these types of threats and also targeting a lot of small-to-medium-sized suppliers. Both might also indicate that this is the first stage in what may be wider activity,” Ryan Robinson, a security researcher at Intezer, told ZDNet. SEE: This new ransomware group claims to have breached over 30 organisations so far It’s currently unknown who exactly is behind the phishing attacks, but Robinson said their methods “show a decent level of sophistication.” While some of the infrastructure around the attacks has been removed, it’s likely that the phishing campaign remains active. “Treat emails with awareness and caution, especially emails that are received from outside your company’s domain. Most importantly, don’t open suspicious files or links,” warned the research paper.
MORE ON CYBERSECURITY
Cybersecurity: Why a culture of silence and driving mistakes underground is bad for everyoneThree billion phishing emails are sent every day. But one change could make life much harder for scammersMicrosoft warns that Russian hackers used US agency to mount huge cyberattackThese hackers sell network logins to the highest bidder. And ransomware gangs are buyingThese four new hacking groups are targeting critical infrastructure, warns security company