Researchers Uncover Long-Term Cyber-Espionage Campaign

Security researchers have recently unveiled information about a long-term cyber-espionage campaign targeting fuel industry companies across the world. The campaign was focused on long-term detection avoidance and planting remote access trojans on the victim networks with the purpose of lasting data exfiltration and spying.

Researchers with security firm Intezer revealed that bad actors had been using narrowly targeted spear-phishing email campaigns that carry remote access trojan payloads as malicious attachments. The range of RAT malware used in the campaign varied greatly and includes infamous names such as Agent Tesla, Loki and AZORult. Those tools have the ability to both steal sensitive information and browser logins, but also to log keystrokes.

The campaign is almost entirely focused on oil and gas companies, but there are a few targeted outliers who are in the IT and media sectors. Curiously, the majority of the targeted companies are located in South Korea, with other targets located across the globe, including Europe and the US, as well as the United Arab Emirates.

Researchers also noted that one of the targets in the malicious campaign was markedly different from the rest. The odd one out is called FEBC and is a radio broadcasting entity located in South Korea, which according to the researchers at Intezer seeks to "subvert the religion ban" in the country's north neighbor.

The spear-phishing emails use spoofed sender fields and are made to look like they really originated from addresses and companies that would be well-known to the victims. Some of the emails used typosquatted domains - a domain that has a single character different from the legitimate one, for example a dot replaced with a dash or an "L" swapped with a 1.

The body of the malicious emails usually contains what looks like a legitimate business offer. The payloads are contained in fake PDF files that are really .cab archives or .iso images. Intezer also pointed out that the payload is deployed using fileless techniques, deploying directly into system memory without leaving any files on the hard drive that may trip up potential defenses.

Intezer also pointed out that the emails were especially well-done in terms of formatting and great care has been taken to make them look like legitimate business correspondence. There are many small details in the text of those emails that indicate the threat actor behind this is no amateur and has a very good grasp of what legitimate, high-profile business correspondence looks like.

By Zaib
July 9, 2021
Computer Security
English
July 9, 2021
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

News

Researchers Discover 20,000 Cyber Attacks Every 15 Minutes Using Cyber Honeypots

Cyber attacks are getting more sophisticated as we speak. As long as you are connected to the Internet, you can get attacked. It is time to chuck away this useless conviction that you are not interesting to... Read more

January 13, 2020
Malware

BazaFlix Spam Campaign Spreads the BazarCall Malware

The operators of the BazarCall malware are utilizing a new type of attack to deliver malicious email attachments to their victims. The attack, dubbed BazaFlix, focuses on the usage of fake messages and emails, which... Read more

May 28, 2021
Computer Security

Malvertising Campaign Targets Millions of Users

A malvertising campaign dubbed "Tag Barnakle" has infected over 120 advertising servers in the past twelve months, according to security researchers. The goal of the large-scale campaign was to inject malicious code... Read more

April 20, 2021
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.