Attackers are using an obfuscated version of Adwind Remote Access Trojan for stealing data, Netskope says.
Malware Campaign- An unknown threat actor is targeting companies in the US petroleum industry with a sophisticated data-stealing remote access Trojan (RAT) that previously had been used in attacks against retail and hospitality organizations.
Netskope says it observed a recent spike in alerts for the malware family — the Adwind RAT — among its customers operating within the petroleum industry.
The attacks appear to be originating from a domain belonging to Westnet, an Australian ISP. What’s not clear is if the attacker is a Westnet customer or has compromised accounts belonging to Westnet customers and is using them to distribute Adwind, Netskope said in a report.
News of the attacks on US petroleum companies coincides with recent reports about the US government planning a major cyberstrike against Iran to punish the country for its reported involvement in this month’s bombing of a major Saudi Arabian oil facility.
On Sunday, Reuters reported on Iran’s oil minister warning the country’s petroleum industry to be on alert for cyber attacks from the US. In June, the Washington Post quoted unnamed sources as saying US Cyber Command had carried out an offensive attack on Iranian computer systems that had allegedly been used to plan attacks on oil tankers in the region.
According to Netskope, the command and control infrastructure that the attackers are using in the latest Adwind campaign is different from that used in the previous attacks on organizations in the retail and hospitality sectors. So Netskope has no data to suggest the two groups are linked, according to the security vendor.
Adwind is sold as commodity malware on Dark Web markets and several threat actors have used it in various campaigns over the last two years. From a functionality standpoint, the Adwind strain being used in the petroleum industry attacks is very similar to older Adwind samples.