Another day, another spear phishing attack, this time targeting energy companies. Agent Tesla spyware is the tool of choice for this attack, which is interesting because it marks the first time that Agent Tesla has been associated with campaigns targeting the oil-and-gas industry.
What is Agent Tesla?
Agent Tesla is known as an info-stealer, which is a type of malware that steals credentials such as stored email passwords, browser-stored passwords, FTP credentials, and more. It is able to access the webcam as well as capture screenshots and log keystrokes. Brian Krebs discussed the origins of Agent Tesla here, but it has been around for years, since at least 2014.
The criminals who maintain Agent Tesla have added a new capability that allows it to steal Wi-Fi profiles. Over the past two months, this newer variant has been actively distributed through email campaigns using different file attachment formats. Malwarebytes has a technical breakdown on this new feature here.
The attack — sender impersonation
Oil-and-gas companies were hit with Agent Tesla in March when the attackers impersonated two companies known to the industry. The first attack impersonated the engineering contractor Enppi to target the energy industry in several countries including the United States. This campaign appears to have been active from March 31 to April 6.
The second wave of this attack appears to have been active from April 12 to April 14. This attack impersonated Glory Shipping Marine and targeted only a few shipping companies based in the Philippines.
Both attacks were carefully researched and well executed in terms of the information and the call to action. The malicious attachments dropped Agent Tesla onto the victim's machine, and the new capability of stealing Wi-Fi credentials is designed to spread itself through a network. You can see examples of the attacks here.
The companies targeted in these campaigns are focused on different types of energy production, but all have a significant stake in the global oil market. The first attack launched just prior to a planned OPEC meeting, and one possibility is that the attackers wanted access to details on how energy companies are planning to deal with the massive drop in oil demand. Another possibility is that this was simply a new take on a spear phishing and business email compromise attack.
COVID-19 has caused unexpected shifts in our global markets, and there's no reason to think that espionage won't continue. While this pandemic has had devastating effects, it also presents opportunity to people who are willing and able to find it. Unfortunately the latter group includes bad actors who will use all of the cybercrime tools at their disposal, including info-stealers like Agent Tesla, to gain an unfair and illegal advantage over others.
DMARC protection will help prevent brand impersonations by eliminating the ability for cybercriminals to use your domain to send their illegitimate messages. It will protect business-to-business customers and supply chain partners from scams like those referenced here. You can learn more about DMARC authentication and domain spoofing here.
Anti-phishing protection can spot anomalies that may indicate a phishing attack and help detect impersonation attempts. Protection against account takeovers and social-engineering attacks should be included in this protection.
Training and security awareness for end-users will make them less susceptible to spear phishing. End users may be stressed and distracted, and criminals are launching well-crafted attacks. Security awareness exercises help the employees slow down and take a more thoughtful approach to email.
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology and project management credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.
Connect with Christine on LinkedIn here.