Oil & Gas Sector Falls for Fake Car Accident Phishing Emails

An updated version of the Rhadamanthys malware-as-a-service (MaaS) is being deployed against oil and gas companies, using an effective new lure with a concerning amount of success.

Cofense has been tracking the campaign, which uses emails and a PDF file disguised as communications from the "Federal Bureau of Transportation," according to a new flash alert from the email security analysts. No such bureau exists, and may be a mashup of the Department of Transportation and the Bureau of Transportation Statistics, an purview.

"It is not clear as to why this specific sector is [being targeted], but the campaign in its current form could be relevant in most sectors if threat actors decided to change targets," the Cofense alert explained. "While the campaign was actively sending emails, it was successfully reaching targets at an alarming rate."

The campaign appeared just days after the LockBit takedown in February, the analysts said. The latest version of Rhadamanthys, 5.0, was updated earlier in 2024 with improvements to its evasion and data stealing capabilities, Cofense added.

The phishing emails are also carefully crafted, the researchers pointed out. The phishers crafted multiple, provocative subject lines like, "Notification: Incident Involving Your Vehicle," and "Attention Needed: Your Vehicle's Collision."

"As peculiar as it might seem to use vehicle incidents as a phishing lure, the threat actor(s) here put immense effort to ensure that their emails along with the infection chain target recipient's emotions," Cofense added. "Each email body and subject are both different than the next, but they can be summarized by notifying an employee of a car incident through an employer notification, possible legal actions, or even a notice of contacting law enforcement."