Researchers at Intezer have spotted a phishing campaign that’s targeting energy companies in South Korea, the United States, the United Arab Emirates, and Germany. Most of the targets are located in South Korea.
“The attackers use typosquatted and spoofed emails to launch the attack,” the researchers write. “The campaign spreads via phishing emails tailored to employees at each company being targeted. The contents and sender of the emails are made to look like they are being sent from another company in the relevant industry offering a business partnership or opportunity. Each email has an attachment, usually an IMG, ISO, or CAB file. These file formats are commonly used by attackers to evade detection from email-based Antivirus scanners. Once the victim opens the attachment and clicks on one of the contained files an information stealer is executed.”
Intezer notes that the attachments pose as PDF files in order to trick the victim into opening the file.
“The emails are formatted to look like valid correspondence between two companies,” the researchers write. “This extra effort made by the attacker is likely to increase the credibility of the emails and lure victims into opening the malicious attachments. The emails use social engineering tactics such as making references to executives, using physical addresses, logos and emails of legitimate companies. They also include requests for quotations (RFQ), contracts, and referrals/tenders to real projects related to the business of the targeted company.”
The researchers add that the attackers are familiar with corporate conversations, which adds to their credibility.
“The content of the emails demonstrates that the threat actor is well-versed in business-to-business (B2B) correspondence,” Intezer says. “The recipient email addresses of these emails range from generic email handles such as ‘info@target_company[.]com’ or ‘sales@target_company[.]com’ to specific people within companies. This suggests that for some companies they have likely managed to gather more intelligence during reconnaissance than others.”
Intezer has the story.