A unique targeted attack being underway for about two consecutive years exploits Windows file functions that look legitimate and a couple of homemade scripts – but not malware – in order to infiltrate firm in the gas & oil maritime transportation sector.
The attack was initially discovered by Panda Labs’ security researcher in the beginning of last year that got escape from Antivirus software, and managed to hit almost 10 companies in the gas & oil industry ever since it was launched in 2013 (August). What attackers tend to do here is stealing oil cargo organizations’ information and then utilizing it to pretend as legitimate companies in scam traps against the targeted oil brokers.
Panda Labs technical director, Luis Corrons says, “This is an innovative targeted attack” but not an APT (advance persistent threat) or cyber espionage.
“They use no malware; I’m not sure if they’re not using malware because they don’t know how to … They were stealing credentials without malware.”
This attack campaign, named as Phantom Menace (by Panda), was initially spotted by the cyber security squad at UK based oil and gas transportation company. It actually started with a promising spear-phishing emails containing a phony file in PDF format that when clicked/opened by the targeted user, was found to be empty.
“It has a self-destructor file, and it creates a folder where it puts files inside. It runs one of the batch files and that’s it. There are no malicious” code tools, said Luis.
Panda security managed to root-out the stolen information/files out of an FTP-server being used by the alleged attackers, and drill-down into the particular attack itself that turn out to be a brand new spin onto the Nigerian scam. Here’s how the attack works (in a nutshell): the alleged scammers contact targeted oil broker and offer them any amount from 1 to 2 million BLCO (Bonny Light Crude Oil ) barrels – at bargain able price right from Bonny (a Nigerian town) , which is known for the oil having lower sulfur content making it comparatively low corrosive grade product.
Corrons says, “They have to show proof the product, quantity and quality of the oil, and they ask for $50- 100,000 in payment to close the agreement”. “They [the broker] goes there, and there is nothing,” no oil or supplier, he added.
Most of the victim organizations were in Europe, including Spain, Germany, and Belgium. There also were victims in Asia, he says.
“Our guess here is that they were interested in [oil cargo transportation company] user credentials so they can steal and copy real certificates from those companies” that they can use in the scam to pose as legitimate oil firms, says Corrons.
The marching infiltration of victim systems as soon as the phony file (PDF format) is clicked/opened works such as: an executable (.exe) file having an Adobe Acrobat-Reader symbolic icon extracts itself, creates a folder, and then moves files (six in number) into that particular folder. A file series that was planted gets to run, and at last makes use of a .bat format file in order to modify Windows registry as such whenever computer gets started, it runs that (.bat format) file to get the usernames & passwords from the browser and mail client, and then ultimately save them in a .text file.
Some additional steps are needed to mask folders, which include disabling Windows firewall. At last, FTP is used to upload files (all those stolen ones) onto attacker’s FTP server.
Corrons says, “Why would you bother to buy or build a Trojan,” which could be detected. Now obviously, the legitimate looking files tend to fly just under the radar.
865 is the number of total unique files (of stolen info) Corrons alongside his team discovered within the FTP server, and all of them were purely from oil and gas industry.
Ali Qamar is an Internet security research enthusiast who enjoys “deep” research to dig out modern discoveries in the security industry. He is the founder and chief editor at Security Gladiators, an ultimate source for cyber security. To be frank and honest, Ali started working online as a freelancer and still shares the knowledge for a living. He is passionate about sharing the knowledge with people, and always try to give only the best. Follow Ali on Twitter @AliQammar57
(Security Affairs – oil and gas industry, cyber security)