Cyber Incident Victim: US petroleum industry
Date:
Oct 2019
Location:
United States of America
Summary
A new variant of the Adwind remote access trojan targeted entities in the US petroleum sector through a phishing campaign distributing malicious attachments or URL redirects. The multi-stage malware employed multi-layer obfuscation and nested JAR files to evade detection, hosted on compromised Australian ISP accounts. Attackers leveraged the cross-platform RAT's capabilities to steal sensitive credentials, VPN certificates, and browser data, while also enabling keystroke logging, audio/video surveillance, cryptocurrency mining, and crypto wallet harvesting. The campaign specifically focused on the petroleum industry based on infection patterns and victim profiles, with similar prior attacks observed against utility, retail, and hospitality sectors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In October 2019, US petroleum industry entities were targeted by a malicious campaign distributing a newly observed variant of the Adwind Remote Access Trojan (RAT). The attack employed multi-layered obfuscation techniques and was delivered via phishing emails containing malicious attachments or URL redirections to payloads. Security firm Netskope identified 20 malware samples hosted on compromised accounts of Australian ISP Westnet, with files disguised using multiple extensions to exploit Windows’ default file-hiding settings. The infection process utilized nested JAR files resembling Matryoshka dolls, culminating in a final DLL payload detected as Gen:Variant.Application.Agentus.1. This multi-stage deployment was designed to evade detection, though behavior-based antivirus solutions remained capable of identifying the threat. The campaign’s focus on petroleum organizations was determined through analysis of tenant data showing concentrated detections within that sector, with a distinct alert spike signaling deliberate targeting.
The Adwind RAT provided attackers with extensive capabilities including credential theft from browsers (Chrome, Internet Explorer, Edge), VPN certificate extraction, keystroke logging, and surveillance functions such as webcam activation for photo/video capture and audio recording. Additional functionalities involved cryptocurrency mining and wallet information harvesting. Command-and-control communication was established after payload execution, enabling ongoing data exfiltration. Netskope documented indicators of compromise including malware hashes, C2 server IPs, and delivery domain details in their public report. This incident reflected Adwind’s established MaaS operational model, with prior campaigns observed against utilities, retail, and hospitality sectors throughout 2019 and as far back as 2013. No specific mitigation actions by victims were detailed in available reporting, though the analysis relied on captured malware samples rather than complete email artifacts.