LTS Secure Warning: Spearphishing Campaign Targeting Oil & Gas Firms to Infect Them With Agent Tesla Spyware

Security researchers have identified highly targeted spearphishing campaign against oil & gas firm, in order to infect them with Agent Tesla Spyware.

Campaign Details

First Campaign:

The attackers pretended to be from Engineering for Petroleum and Process Industries (Enppi), inviting recipients to submit a bid for materials & equipment’s, as part of a project (Rosetta Sharing Facilities Project), on behalf of a well know gas company (Burullus).

The email was crafted very carefully to make it look legitimate, containing things such as:-

• Bid submission deadline
• Request for bid bond

The email also contains an archived attachment, designed to drop the Agent Tesla Spyware.

Second Campaign:

The campaign started somewhere around 12^th April, attempting to deliver the spyware to shipment companies. This time attacker impersonated themselves to be from Glory Shipping Marine.

The email requested the recipients to send the Estimated Port Disbursement Account (EPDA), along with information about container-flow management (cfm).

Similar to the first campaign, the email contained an attachment, designed to drop the Agent Tesla Spyware.

Impact

• Log user’s keystrokes.
• Take screenshots of desktops.
• Gather information saved to the clipboard.
• Stealing sensitive/confidential information.

Recommended Actions

• Never download any suspicious attachments or click on any shady-looking link. Take an effort to educate your users on how to identify a mal-spam.
• Always update your anti-virus software with the latest releases.
• Periodically run “full system scan” on your endpoints.
• Make proper security configuration for Firewall/IDS/IPS/Endpoint Protection systems so that no holes are left barred.
• Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.