ReaQta has been tracking an extensive and long running spear-phishing campaign, targeting the supply-chain in the Oil & Gas industry, most likely for espionage purposes. The campaign started in 2018 and it’s still running today, with a new wave began on the first week of May. It is carefully prepared and executed, with attackers taking advantage of several compromised websites to deliver their malicious payloads.
Due to the length of this campaign, we believe this might be used to obtain and maintain access within a network of suppliers that cater to the Oil & Gas industry and that it might set the stage for a more targeted attack in the future.
One of the emails that picked the attention of our team was impersonating Petrofac’s Procurement Proposal Engineer. According to Wikipedia:
Petrofac Limited is a provider of oilfield services to the international oil and gas industry. It is registered in Jersey (number 81792), with its main corporate office on Jermyn Street, London. It has operational centres in Aberdeen, Sharjah, Woking, Chennai, Mumbai, Delhi, Abu Dhabi, Saudi Arabia and Kuala Lumpur.
The impersonated employee describes himself as: “working alongside my team to secure projects. Negotiating with suppliers to provide competitive prices. Cherry-picking vendors“. The other signer describes himself as a “Buyer at Saipem for Thai Oil Clean Fuels Project”. The identities used might therefore look plausible to the victims receiving the emails.
The message contains a request for quotation for a “Ghasha Processing Plant Process”. Petrofac was in fact awarded in February 2020 2 EPC contracts, worth 1.65Bn$, as part of the Gasha Concession offshore Abu Dhabi to develop ultra-sour gas fields. Although both contracts were cancelled on the 16th of April 2020.
Back in 2018, Petrofac together with Saipem and Samsung Engineering was awarded a 4Bn$ contract for the development of a refinery in Sriracha, Thailand. The above message (perhaps in a confusing way) refers to both things as if they were the same.
The email impersonating Petrofac was actually sent by another company, DigiPro Solutions (appearing to be a subsidiary of the Egyptian Al Madina), providing printing and packaging solutions. One of the intended recipients was Team Translation, an Italian company that specializes in translations for machineries in various industries, such as Renewable Energy, Packaging, Refrigeration etc.
We suspect that DigiPro/Al Madina server or website have been compromised and used specifically to target Team Translation. Also the attackers appear to blind copy (BCC) some of their targets instead of emailing them directly.
This campaign is not limited to a single company, in fact we have identified several targets and the list will probably grow as we keep digging.
WalterTosto SpA: “a leading manufacturer of critical, long lead equipment including heavy wall hydrocracking, hydrotreating, GTL and EO reactors for various applications within Oil&Gas, Petrochemical, Power & Energy, Food & Pharma markets.“
ProMinent Group: “The ProMinent group of companies is based in Heidelberg and for over 55 years has been developing and manufacturing components and systems for metering liquids and solutions for water treatment and water disinfection.”
De Palma Thermofluid: “operates to provide products and technologies that produce, detect, regulate and control all industrial fluids such as steam, hot water, thermal oil, chilled water, hot air and cold.“
Maber Srl: “Industrial Technologies: Hoists, Winches – Man rider, BOP (Systems), Pumps ARO, Cordless Tools QV20, Cordless Tools QV12, Air Starter-Motors“
Interestingly every entity, though part of the same attack campaign, has been targeted via different providers. The attackers are taking care of using a different compromised website/mailserver for each of their targets.
Link to Previous Campaigns
The actor behind this campaign has been active for a long time, we managed to track the activity back to March 2018 (with one of the targets being again Team Translation) and still trying to impersonate Petrofac, using as a lure new contracts won by the company, as it can be seen in the below image.
And again in March 2019, this time impersonating Saudi Arabian Saipem and taking advantage of a seemingly legitimate domain: ejadarabia[.]com used to deliver again NetWire and AgentTesla.
In 2019 the attacker used the same lure as the one in 2020, as it can be seen below.
Targets in the previous years were again companies in the Oil&Gas supply chain: rig building companies, pipeline management, HVACs, oil pumps and tankers.
The email impersonating Petrofac contains two attachments, both password protected to reduce the chances of being detected by the anti-spam and antivirus. When opened the document shows a blurred image asking the user to enable Macros.
The malicious Macro is quite simple and it’s used to download a MSI file from a domain controlled by the attacker.
Word’s Macro takes care of downloading the MSI and running it.
The malicious file had, at the time of writing, a remarkably low detection rate, as shown below.
The MSI file is used to load a first stage, which appears to be GuLoader, a small downloader, packed with a variety of AntiVM tricks. Below we can see GuLoader in action using ReaQta-Hive, the storyline shows GuLoader creating a registry persistence and then downloading, decrypting and loading its payload after performing a dynamic impersonation.
As a final step, GuLoader drops Netwire which begins to acquire data and screenshots from the infected machine. The C2 appears to be located in Singapore as seen from the image below.
This is a long running campaign that can be tracked back to at least 2018. Attackers maintain a certain modus operandi: spear-phishing emails using compromised webservers and email servers, targeting mostly suppliers to the Oil&Gas industry and heavy machineries.
We haven’t found traces of custom tools and so far, only commodity malware such as GuLoader, NetWire and AgentTesla have been used. We suspect the attackers’ motivation to be espionage instead of cybercrime, as we haven’t seen any attempt of extortion or threats against the victims, leading us to believe that the low-profile activity is intentionally aimed at maintaining access for as long as possible.