What is Agent Tesla?
Agent Tesla is .Net based Windows spyware that is commercially available on the dark web. It is a Remote Access Trojan (RAT) that has been active since at least 2014. Agent Tesla is used to spy on victims by keylogging, as well as stealing clipboard contents, screenshots and credentials. This Trojan is also able to kill malware analysis related processes and antivirus solutions on infected systems. Since 2014, Agent Tesla has undergone many improvements and updates. It is sold as malware-as-a service with its developers offering various pricing tiers based on different licensing models. In these latest campaigns, Agent Tesla was disguised as a report or form attached to phishing emails. The emails impersonate either an Egyptian state oil company called Engineering for Petroleum and Process Industries (Enppi) or a shipping company. If the attachments were opened, Agent Tesla would execute and exfiltrate information and send it to the cybercriminals’ control servers.
The Peculiar Characteristics of the Campaigns
The spear phishing campaigns against the Oil and Gas industry were detected by antimalware vendor Bitdefender. What attracted Bitdefender’s attention was the extremely specific group of companies being targeted. Only certain key oil producing organizations across the world were targeted. “The impersonated engineering contractor (Enppi – Engineering for Petroleum and Process Industries) has experience in onshore and offshore projects in oil and gas, with attackers abusing its reputation to target the energy industry in Malaysia, the United States, Iran, South Africa, Oman and Turkey, among others,” Liviu Arsene, Bitdefender senior e-threat analyst, said. Furthermore, what is unique in these campaigns is the quality of the phishing emails. They contained no typing errors, used perfect industry terminology and referenced real industry events. The other peculiar characteristic of these campaigns is that spear phishing campaigns were used to target the industrial sector. Usually cybercriminals prefer to target vulnerabilities in industrial control systems and do not use phishing campaigns to target the industrial sector.
The Campaigns Against the Oil and Gas Industry
Two separate spear phishing campaigns were launched that used attachments to deliver Agent Tesla. The first involved emails impersonating Enppi and the second emails impersonating an unknown shipping company.
The Enppi Campaign
The Enppi campaign targeted companies in Malaysia, Iran and the United States. All countries that play a significant role in the worldwide oil and gas industry. The spear phishing emails impersonating Enppi invited recipients to submit a bid for equipment and materials on behalf of a well-known gas company Burullus. It also stated that the bid formed part of the Rosetta Sharing Facilities Project (RSFP). Finally, the email contained attachments, which supposedly were lists of requested materials and equipment. Instead the attachments were rigged to drop the Agent Tesla spyware Trojan. These emails contained sufficiently convincing information to make them sound legitimate and lead the recipient to open the attachments. For example, the Rosetta Sharing Facilities Project is real and is linked to both Enppi and Burullus. Furthermore, the email was professionally written and contained correct industry jargon. They also included data expected in such emails, such as a bid submission deadline and a bid bond.
The Shipping Company Campaign
This second spear phishing campaign only targeted a small number of companies based in the Philippines. Most of these companies were shipping companies. “This hints at a laser-focused campaign seeking very specific information from a very distinct area of the globe,” writes Arsene in his report. As per the Enppi campaign, emails used legitimate information about a chemical/oil tanker plus industry jargon to make the email believable. According to Arsene “While the number of reports may be low, the construction of the messages and the jargon used do show the attackers have a clear understanding of their victim’s profile and use relevant language and information to seem believable and trick the victim into opening the rigged attachment.”
Why Target Oil and Gas Companies
The likely reason for the sudden spike in phishing attacks against this industry is the Covid-19 pandemic. Due to the pandemic, oil and gas companies have been forced to switch to remote access connectivity to maintain operations. This switch might have made them easier targets for cyberattacks. “While the spear phishing attacks on oil and gas could be part of a business email compromise scam, the fact that it drops the Tesla Agent info-stealer suggests these campaigns could be more espionage focused,” Arsene told The Register. “Threat actors that might have some stakes in oil and gas prices or developments may be responsible, especially when considering the niche targeted vertical and the ongoing oil crisis,” he went on to say. The circumstances suggest that a state backed hacking group or other advanced group could be behind the attacks. The cybercriminals could be interested in gathering information on how targeted countries plan to address the oil crisis. Or they could be a group who wants to keep track of companies dealing with the oil crisis so that they can react or even get ahead of the markets. However, Bitdefender did not attribute the campaigns to any particular APT (Advanced Persistent Threat) group or nation.
Why Use Agent Tesla
The use of Agent Tesla is notable because unlike the expertly crafted emails, the malware is not the most sophisticated or complex piece of malware. But according to Arsene, using a common and relatively simple piece of malware has its advantages. “It’s something that you can get off the dark web and you don’t have to customize it in any way,” he said. “It makes it easier to deploy, so it makes attribution a lot more difficult. It’s not something custom you can attribute to state-sponsored actors or a cybercriminal group, so that makes it difficult during an investigation to find out what was the actual goal.” “With over 5,000 malicious reports from companies that operate in the energy industry, cybercriminals seem to have taken a keen interest in this vertical, perhaps as it has become more important and strategic after recent oil price fluctuations,” Bitdefender concludes. Furthermore, Bitdefender warns that phishing campaigns targeting the Oil and Gas industry are likely to increase and continue while the current pandemic persists.
