The global pandemic COVID-19 has already become a threat to the global economy, the ongoing lockdown has caused redemption on small business as well collapsed the large-scale industries. Synchronizing the current situation it has been observed that oil and gas companies are the most adversely affected industries. Since these two are considered as the basic needs, they are mostly exempted by the lockdown measures. However, due to zero consumption, Oil prices have once again crashed, this time due to the destruction of demand associated with COVID-19 and the price war between Russia and Saudi Arabia. 

Due to the existing situation of  COVID-19, the oil and gas companies are compelled to switch to remote access connectivity to maintain their operations via an external network. This exposure resulted to be the main reason they are becoming easy targets of cyberattacks. Crooks are using agent tesla malware to carry out their spear-phishing campaigns.  


What is agent tesla? 

what is an agent?

Agents are the information stealer, right!. The same goes for agent Tesla.

Agent Tesla is a .NET based keylogger and RAT (Remote access Trojan) readily available to threat actors. It is an intrusion which is configured as spyware, keylogger, and credential harvester Trojan written in Microsoft’s .Net language (C#, VB .NET, etc). Agent Tesla was initially defaced to the world in 2014 and has been active ever since. 

The destructive malware is prone to an executable file originally named “Delivery Report.exe”. “AutoIt executable” this file is a compiled executable file that can be easily decompiled by using the Exe2Aut or myAut2Exe  tools. nevertheless, Both the tools are configured to generate the same code, but for certain specimens, myAut2Exe provides more friendly readable output. The payloads are bonded with the executable files. Once the script code is delivered, the associated payload gets activated. After the process injection has concluded, the entire administrative control is passed to the RegSvcs.exe program. After the successful execution of the process injection, the payload starts looking for popular FTP clients, such as FTPGetter, FTP Navigator, FlashFXPSmartFTP, among others. 


What is Spear Phishing? 

Spear phishing is an offensive act of sending malicious emails to specific and well-researched targets while purporting to be a trusted sender. The aim is to either infect devices with malware and steal the credentials or convince victims to hand over information and money. 

Spear phishing is a credential harvesting attack that was eventually developed by a threat actor to perceive one company, and where they will investigate names and positions within a company. To carry out such attack one must possess Social Engineering skillset. 

Inside Knowledge 

As per a report from Bitdefender, since October 2019, the cyberattacks on the energy sector, and specifically oil and gas corporation have been increasing exponentially every month. The attacks involving Agent Tesla were carried out via spear-phishing emails. As per the work from home campaign all the companies are forced to switch to remote access connectivity to maintain their operations which have created the gateway for the intruder to intercept the network traffic. 

Agent Tesla was configured to stationed as part of attacks targeting the oil & gas vertical as detailed by the researchers at Bitdefender who first detected and examined these attacks. 

“The malicious spear-phishing assaults on oil & gas enterprises could be part of a marketing email compromise scam, the fact that it dwindles the Tesla Agent info stealer suggests these campaigns could be more reconnaissance centred,” Liviu Arsene, a senior e-threat analyst at Bitdefender  

“Perpetrators that might have some stakes in oil & gas prices or advancements may be responsible, primarily when considering the niche targeted vertical and the open-ended oil crisis”. In the mid-April, it was reported that two spear-phishing campaign was effective while delivering “Agent Tesla” spyware trojan. 

The first crusade started on March 31 and targeted fellowships from Malaysia, Iran, and the United States, countries with a vital role in the universal oil & gas enterprise as prime-oil producers. 

On the second hand, the secondary crusade used spam emails pretending to be from a cargo company and leveraged authentic information about a chemical/oil tanker to target enterprises in the Philippines. 

Usually, Intruders prefer targeting the vulnerabilities in industrial control systems (ICS) or other hardware or software applications, as happened in the case of APT41. The injected trojans expand themselves to the root folder and steal all the confidential files and user credentials.