An unusual type of targeted attack underway for two years uses legitimate Windows file functions and a few homemade scripts -- but no malware -- to infiltrate companies in the oil and gas maritime transportation industry.
Researchers at Panda Labs first discovered the attack campaign early last year, which had slipped by antivirus software and hit around 10 companies since it launched in August of 2013. The attackers are stealing information from oil cargo organizations and then using that information to pose as legitimate firms in scams against oil brokers.
"This is an innovative targeted attack" but not an APT (advance persistent threat) or cyberespionage, says Luis Corrons, technical director of Panda Labs. "They use no malware; I'm not sure if they're not using malware because they don't know how to … They were stealing credentials without malware."
The attack campaign, dubbed Phantom Menace by Panda, was first spotted by the security team at an oil and gas transportation company in the U.K. It began with a convincing-looking spearphishing email with a phony PDF file that when opened by the victim user, was empty. "It has a self-destructor file, and it creates a folder where it puts files inside. It runs one of the batch files and that's it. There are no malicious" code tools, he says.
Panda was able to root out the stolen files from an FTP server used by the attackers, and drill down into the attack itself, which turns out to be a new spin on the Nigerian scam. It works like this: the scammer contacts an oil broker and offers them anywhere from 1- 2 million barrels of Bonny Light Crude Oil (BLCO) -- at a bargain price -- from a town in Nigeria called Bonny that's well-known for oil with low sulfur content, which makes it a low-corrosive grade product.
"They have to show proof the product, quantity and quality of the oil, and they ask for $50- 100,000 in payment to close the agreement," Corrons says. "They [the broker] goes there, and there is nothing," no oil or supplier, he says.
"Our guess here is that they were interested in [oil cargo transportation company] user credentials so they can steal and copy real certificates from those companies" that they can use in the scam to pose as legitimate oil firms, he says.
Most of the victim organizations were in Europe, including Spain, Germany, and Belgium. There also were victims in Asia, he says.
The initial infiltration of the victim systems once the phony PDF is opened works like this: an executable file using an Adobe Acrobat Reader icon self-extracts, creates the folder, and moves six files into that folder. It runs a series of files it planted, and ultimately uses a .bat file to modify the Windows registry such that each time the computer starts, it runs its .bat file to grab usernames and passwords from the mail client and browser, and then save them in a text file.
There are additional steps to mask the folders, including disabling the Windows firewall. The last step is using FTP to upload the stolen files to the attackers' own FTP server.
"Why would you bother to buy or build a Trojan," which could be detected, Corrons says. The legit files fly under the radar.
Corrons and his team found some 865 unique files of stolen information in the FTP server, all of which were from the oil and gas maritime transportation sector.
Unmasking An Attacker
The researchers also have been able to identify one of the likely attackers involved. But in the end, that may not matter: none of the victims will report the attack to law enforcement. Panda's theory is that's because they don't see it as a pure breach: none of the information and credentials stolen from the victims was actually used against them, but instead was used against other companies. They don't want to report that they were duped for fear of negative publicity, according to Panda. "They prefer to keep a low profile, change their credentials, and continue to operate just as if nothing had happened."
And if law enforcement has no official complaints filed, there's no investigation, Corrons notes. "The broker who lost the money was unofficially buying the oil … from the underground," he says.
"The guy [attacker] leaves free," he says.
Panda began tracking the attackers by following the FTP connection used to send the stolen credentials. That took them to a free FTP service, where one of the attackers had registered for it. While his name and location information was fake, it appears the city was not -- the village of Ikeja in Nigeria, which is also known as "computer village" in the country, due to its large concentration of technology vendors.
They also traced his gmail.com address, and they were able to decipher his name: "We took the 9 characters that made up the email address and started combining them to see if we could form an alias, a first name, a last name or similar. And we got it," Panda says in a report on the campaign.
The suspected attacker is a Nigerian national, and they found his Twitter, Facebook and LinkedIn accounts as well. He's a resident of Ikeja who owns a goods transport company. "Too many coincidences. So, even though all the evidence seems to indicate that this is the person responsible for the attack, there is no way for us to prove it. It would require the police to launch an investigation and obtain information about the FTP connections, etc., in order to get the IP address of the person who signed up to the service and find the culprit," Panda said.