Gone Phishing: Hunting for Malicious Industrial-Themed Emails to Prevent Operational Technology Compromises
Phishing is one of the most common techniques used to deliver malware and gain access to target networks. This is not only because of its simplicity and scalability, but also because of its efficiency in exploiting vulnerabilities in human behavior. Despite the existence of sophisticated detection tooling and security awareness of phishing techniques, defenders across all industry verticals continue to struggle to avoid phishing compromises.
Mandiant regularly observes actors spreading phishing emails that contain terminology and concepts specific to industrial sectors, such as energy, manufacturing, and water utilities. The use of industrial-themed lures and phishing emails suggests that at least in some cases, actors are tailoring their attacks to target industrial organizations. While it may appear that the objectives of these threat actors pose little risk to operational technology (OT) systems, the fast-paced nature and professionalism of their techniques have broad implications for OT defenders.
In this blog post, we analyze a dataset of over 1700 unique, industrial-themed phishing samples that were delivered to organizations worldwide in 2022. We built this dataset using a tailored collection of industrial-related keywords to hunt through millions of samples and identify phishing emails mimicking email communications from personnel operating or handling OT and industrial processes. Defenders tasked with hunting for potential industrial-targeted attacks can sift out the noise of generic phishing attempts to focus on higher-risk threats and prevent simple compromises from branching out into more impactful events that affect critical production systems.
Phishing Emails Can Facilitate Various Threat Actor Objectives
For OT asset owners, phishing is often perceived as a threat only if it comes from cyber espionage campaigns targeting operators, engineers, and industrial subject matter experts. While attention to such targeted activity is important, this hyper-focused perspective can drift attention away from other simpler, yet massively distributed and potentially impactful phishing operations.
- Phishing campaigns vary in lure complexity, tooling, volume and objectives. However, what most phishing campaigns have in common is that they reveal little context about an actor’s end objectives given that they represent the earliest stages of a mission. Seemingly simple phishing that is not necessarily targeted to specific victims can branch out into entirely different post-compromise activity, such as Business Email Compromise (BEC), ransomware deployment, espionage, data leaks, or cyber physical attacks.
- Industrial-themed phishing emails are particularly risky as they use specialized language that is common for employees that work with OT. For example, an email with the subject “bill of lading” can appeal to personnel handling maritime shipments, while an email with the subject “bill of materials (BOM)” can appeal to an engineering project manager.
- Even if the threat actor conducting a phishing campaign does not have enough expertise to cause serious damage on their own, actors often share, sell, or distribute access for other actors to use. In the case of ransomware, we have frequently observed formal affiliation models, where different actors are responsible for different portions of an operation.
- While implementing phishing mitigations is typically out of scope for OT security personnel, recognizing which compromises have the potential to escalate can help defenders prevent actors from ever reaching high-value targets such as OT systems or assets.
Reeling in One Year of Industrial-Themed Phishing Emails
One method to hunt for phishing activity that poses a higher risk to OT is to investigate the contents of the lures and emails themselves to identify jargon employed across specific industries and domains. Using a tailored list of industrial-themed keywords, Mandiant filters data to find industrial-themed phishing emails and reports our findings in weekly OT Phishing Roundups. The keyword list contains various terms including OT process terminology, original equipment manufacturers (OEMs), technical equipment, and other industrial business terms.
In this blog post we discuss our collection of 1,733 unique phishing emails from 2022 acquired by hunting across a popular malware analysis repository (See Figure 1). From our samples, we recovered 1,017 different payloads and, whenever feasible, we determined the malware associated with each sample. We note that our collection only reflects findings from a single large source and as such, is not necessarily representative of the full volume of phishing distribution. The size of the collection is limited to instances that were submitted to the malware repository we utilized. Additionally, each of the samples we analyzed could have been used against one or multiple victims across one or multiple organizations.
The number of emails identified during the year did not seem to show a clear pattern. Although we identified a significant increase in activity during March, it is possible these results from extraneous factors such as the number of submitted emails. We did not perform analysis over time to determine the possibility of seasonality.
Using Simple Malware to Catch Large Phish
Our analysis of industrial-themed phishing samples revealed a total of 34 different malware families, many of which are broadly deployed and used in various types of compromises. Actors of all motivations regularly use these tools—such as AGENTTESLA, FORMBOOK, or REMCOS—because of their effectiveness and ease to acquire at low or no cost.
While defenders may be tempted to overlook some of the readily available malware families, we identified due to their perceived simplicity or lack of novelty, such malware is often packed using techniques to evade detection and enable actors to gain a foothold and move across target networks. This can provide more sophisticated actors with access and tools necessary to move closer to OT targets while also thwarting attribution efforts due to the generic nature of the malware.
The following chart shows the most common malware we observed deployed alongside industrial-themed phishing lures (see Appendix 1 for more details about the observed malware).
- Some of the malware families we documented are fully capable backdoors that support a range of standard functions, while others fulfill only one or a couple functionalities such as credential harvesting, downloading additional resources, or data mining. For example, some families focus on credential theft, while others enable actors to directly interact with the target environment.
- These malware families are sometimes customizable and can be paired with external crypters or packers in order to evade detection from antivirus engines
- Some of this malware also includes capabilities such as video and microphone audio collection which have been available in remote access trojans (RATs) for a long time. The availability of such tooling challenges historical notions that only well-resourced threat actors have access to such comprehensive capabilities.
Industrial-Themed Phishing Emails Are Sometimes Sophisticated, Sometimes Not
We analyzed our sample of phishing emails by considering factors such as scope, scale, and complexity of a campaign, email narratives, and sophistication of the payloads, among other things. During our analysis, we observed phishing emails with different levels of sophistication. Some actors developed well-crafted content, assimilating real-life OT-themed communications, while others distributed messages with common phishing traits, such as grammatical mistakes or format errors. Some actors repurposed stolen email chains—also known as reply hijacking—using automated methods in attempts to expand victims and operations.
The vast majority of the samples demonstrated evidence of opportunistic en masse distribution, while only a small subset reflected the coordinated efforts of prolific, organized, and relatively sophisticated actors we refer to as distribution threat clusters. We did not identify any cyber espionage campaigns from this activity during this period of analysis, though we have in the past from actors such as APT1, APT3, APT10, APT17, TEMP.Isotope, Conference Crew (UNC39), UNC631, and UNC1151.
Distribution Threat Clusters: Sophisticated Phishing for Widespread Malware Deployment
A distribution threat cluster is a defined set of suspected cybercriminal activity whose primary objective is to deliver malware payloads to multiple victims. While distribution threat clusters only produced a small portion of the phishing emails we analyzed, these samples are especially risky for organizations as they open the door for follow on activity within the victim network.
Campaigns from distribution threat clusters have led to intrusions that resulted in the deployment of post-compromise ransomware. Despite its financial nature, this activity can disrupt the capability of organizations to sustain regular production flows. Some of the distribution threat clusters we observed in 2022 include:
A distribution threat cluster that distributes malicious Microsoft Word documents that contain first stage loaders such as MOTEISLAND, REDISLAND and MOUSEISLAND in order to deliver a variety of additional payloads. These campaigns use subjects that appear to be replies to legitimate email chains to deliver malicious ZIP or DOC attachments. UNC2420 has been observed to distribute SNOWCONE.PHOTOLOADER and SNOWCONE.GZIPLOADER (leading to ICEDID), VIDAR, REDLINESTEALER, SLIVER, BAZARLOADER, QAKBOT, URSNIF, TRICKBOT, ADSLOAD, and VALAK.
A distribution threat cluster that delivers emails containing attachments or links to compromised websites, to distribute ZIP files containing malicious Word or Excel files that download a variety of malware payloads, primarily QAKBOT, but also NUTWAFFLE, SMOKELOADER, BEACON, SYSTEMBC, URSNIF, SNOWCONE.PHOTOLOADER and SNOWCONE.GZIPLOADER (leading to ICEDID) from compromised websites.
A distribution threat cluster that provides distribution services under the name "Master Mana Services". UNC2603 delivers emails containing malicious macro-enabled Office documents, usually PowerPoint (FEEBLEKNIGHT), that connect to URL shortening services that redirect victims to popular blog hosting web services or paste sites containing malicious payloads.
A distribution threat cluster that delivers emails containing malicious attachments or links that lead to malware payloads, primarily QAKBOT, but also SNOWCONE.GZIPLOADER (which leads to ICEDID) and MATANBUCHUS. Historically, UNC2633 has distributed ZIP files containing malicious Excel files that download malware payloads. They have also leveraged HTML smuggling to distribute ZIP files containing IMG files, which contain LNK files and malware payloads.
A distribution threat cluster that delivers emails containing attachments or links in order to distribute EMOTET payloads. The attachments may include password-protected ZIP files containing Word or Excel documents or directly attached Word or Excel documents that contain malicious macros, that when enabled, initiate the download of an EMOTET payload from compromised websites. EMOTET distribution re-started in November 2021 after a period of inactivity following a coordinated takedown effort by law enforcement in early 2021.
Distribution threat clusters sometimes employ sophisticated TTPs to deliver payloads. Some common TTPs used by distribution threat clusters include:
- Frequent and fast-paced campaigns using subjects and themes that appear to reply to legitimate email chains to deliver payloads.
- Automated creation of high-quality phishing lures by, for example, using common, contemporaneous, or sensational phrases or topics.
- Use of modified or customized malware combined with heavy obfuscation or packing/encrypting of binaries.
- Use of multi-stage infection chains to deliver payloads.
- Adaptation of TTPs and infrastructure to attempt to evade detection and attribution.
Opportunistic Distribution: Low Quality Phishing for Unsuspecting Victims
Most of the phishing activity we observed across our industrial-themed phishing samples was distributed en masse. Opportunistic phishing attempts often use weaker methods that are easily detected and blocked by automated systems such as enterprise email scanning solutions or endpoint protection software. Most often, this activity is associated with common financial crime schemes such as BEC, credential phishing, money mule and shipping scams, IT remote access or individual extortion and fake blackmail.
Groups involved in opportunistic phishing typically hold no interest in specific industries or organizations. However, actors that succeed in compromising industrial victims could then take advantage by selling the access to other actors at a premium if they realize that it provides potential access to OT. Regardless of the complexity of a phishing compromise, a successful attack can help actors cross the initial borders of target networks without attracting attention.
Some examples of the TTPs in this category include:
- Attaching a payload, such as an executable, directly to an email with little or no obfuscation.
- Supplying simplistic lure content with little to no perceived relationship to the victim, often containing spelling and grammatical mistakes.
- Using freely available or off-the-shelf tools and malware payloads.
Hunting for Phishing Attempts Targeting Industrial Organizations
Both sophisticated and simple network intrusions require threat actors to identify a means of initial access, and these actors frequently turn to phishing attacks. As such, OT defenders need to reconsider how to detect and hunt for industrial-targeted phishing.
Setting up mechanisms to identify early compromises that pose a risk to OT helps defenders decrease the risk of minor threats evolving into impactful events that disrupt production processes. We suggest incorporating the following recommendations:
- Perform threat modeling in OT environments to identify users and groups with access to OT systems and resources that are high-value targets for threat actors.
- Leverage threat intelligence to learn about common initial access techniques, actor infrastructure, and ongoing campaigns targeting industrial organizations.
- Track distribution of phishing emails and monitor your environment for related patterns including attachment names, toolmarks or phrases within document attachments or email bodies, and filenames. Pay attention to emails from untrusted entities that appeal to personnel in your field of specialization.
- Understand which types of threat actors target your industry and gain familiarity with the TTPs they use.
- Using insights gained from threat intelligence and threat modeling, hunt within your environment to identify OT-specific phishing attempts. When feasible, deploy detection technologies in networks that are adjacent to your OT infrastructure focusing on TTPs used by the actors most likely to target your organization.
- Hunt for post-compromise indicators such as offensive tooling and evidence of privilege escalation or credential dumping that may indicate that a threat actor has evaded detection during the initial access phase.
- Establish response plans to counter instances where credentials may have been stolen – for example in the event of a data leak.
Appendix 1: Malware families deployed alongside industrial-themed phishing lures between October 2021 and September 2022
AGENTTESLA is a .NET-based credential stealer capable of capturing keystrokes, clipboard data, camera images, and screenshots. AGENTTESLA also targets credentials stored by applications that include web browsers, FTP clients, and email clients. AGENTTESLA can be configured to exfiltrate data via HTTP, SMTP, FTP, Telegram, or a downloaded Tor proxy utility. Some variants may be configured to propagate via USB drives.
ASYNCRAT is a .NET-based backdoor that communicates using a custom binary protocol over TCP. The backdoor can execute shell commands and download plugins to extend its features. Downloaded plugins may be executed directly in memory or stored in the registry. Capabilities added via plugins include screenshot capture, file transfer, keylogging, video capture, and cryptocurrency mining. ASYNCRAT also supports a plugin that targets credentials stored by Firefox and Chromium-based web browsers.
BLUSTEALER is a nimble credential stealer that mines credentials and wallets from victims’ browser and resident file system.
EMOTET is a downloader written in C/C++ that communicates with its command and control infrastructure via HTTPS and uses elliptic-curve cryptography to support key exchange and message authentication. EMOTET retrieves two types of payloads: modules that extend its own functionality and additional malware. Downloaded modules and secondary payloads can be executed in memory, however EMOTET can also download and execute secondary payloads from disk depending on received commands. Modules in active distribution have varied over time, however they are commonly used to steal credentials, harvest email data, perform reconnaissance, and generate spam email used by EMOTET for self-propagation.
FORMBOOK is a backdoor written in C that communicates via HTTP. Supported commands include screenshot capture, shell command execution, file download, and file execution. FORMBOOK is also capable of capturing keystrokes, monitoring the clipboard, stealing web browser cookies, and extracting credentials stored by web browsers. FORMBOOK also uses hooks to intercept credentials and account information associated with web browsers and email clients.
XLOADER is a variant of the FORMBOOK malware, with differences that include a minor change in a string used in network traffic, an additional layer of RC4 encryption, higher numbers of decoy domains and some changes in C2 configuration storage.
GULOADER is shellcode that acts as a downloader. Payloads are retrieved via HTTP. Supported payload types include executables, DLLs, and shellcode. Downloaded payloads may be written to disk or mapped into memory prior to execution.
LOKIBOT is a credential stealer written in C/C++ that targets credentials for numerous applications including web browsers, password managers, email clients, and FTP clients. It is also capable of collecting cryptocurrency wallets, capturing keystrokes, and retrieving additional payloads. Harvested data is uploaded via HTTP.
MATIEX.SNAKELOGGER is a variant of the MATIEX data miner. The malware extracts credentials from web browsers, email clients, instant messaging software, and FTP clients. It can also be configured harvest Wi-Fi credentials as well as capture keystrokes, screenshots, and clipboard data. Unlike MATIEX, MATIEX.SNAKELOGGER cannot record microphone audio and cannot communicate using Discord Webhooks. Collected data may be uploaded to a remote server via SMTP, FTP, or Telegram's bot API.
MODILOADER is a Delphi downloader that typically downloads an encoded stager/loader. This stager DLL (also coded in Delphi) injects the actual payload in a spawned process.
NANOCORE is a .NET-based backdoor that communicates using a custom binary protocol over TCP. Its core functionality involves expanding its capabilities through a plugin management system. Downloaded plugins are mapped directly into memory and executed. They are also stored locally. Capabilities added via plugins include full system control using the mouse and keyboard, webcam video and audio capture, keylogging, and reverse shell creation.
QAKBOT is a backdoor written in C/C++ that implements a plug-in framework to extend its capabilities via embedded and downloaded plugins. QAKBOT communicates using HTTP, HTTPS, or a custom binary protocol over TCP. If attempts to connect to a hard-coded C2 server are unsuccessful, QAKBOT may employ a domain generation algorithm (DGA) to generate C2 URLs. QAKBOT's capabilities also include keylogging, file transfer, file execution, and process termination. QAKBOT also targets credentials by intercepting browser activity, injecting malicious code into browser sessions, and extracting credentials stored by browsers, email clients, and FTP clients. QAKBOT has been observed downloading a VNC plugin, an Outlook email harvester, a proxy plugin, and a browser cookie stealer. The proxy plugin allows QAKBOT to proxy traffic from other QAKBOT-infected systems to a QAKBOT controller. QAKBOT has also been observed downloading a plugin that retrieves a BEACON backdoor payload. QAKBOT is also capable of propagating to other systems on a network via SMB and setting up port forwarding on a connected router via the UPnP protocol.
REDLINESTEALER is a credential stealer malware that is capable of stealing credentials from web browsers, files, FTP applications and cryptocurrency wallets. It also collects extensive system survey information such as the basic hardware specifications, desktop screenshot, username, OS, language, geographic location, installed software, process listing and Global IP address. The malware can download and launch additional payloads or launch a hidden command shell for the attacker. Redline Stealer has been advertised for sale on hacking forums.
REMCOS is a backdoor written in C++ that communicates using a custom binary protocol over TCP. Supported backdoor commands include mouse and keyboard manipulation, arbitrary shell command execution, file transfer, and file execution. REMCOS can also capture webcam video, microphone audio, keystrokes, and screenshots.
WARZONE is a backdoor written in C++ that communicates via a custom protocol over TCP. Its capabilities include video and screenshot capture, remote desktop, keylogging, file transfer, file execution, and reverse shell creation. WARZONE can also extract credentials stored by web browsers, email clients, and the Windows Credential Manager.