A recent phishing campaign utilizing an updated version of the Rhadamanthys malware-as-a-service (MaaS) has been identified targeting oil and gas companies. Analysts from Cofense have uncovered this campaign, which employs deceptive emails and a PDF attachment masquerading as communications from the fictitious "Federal Bureau of Transportation."
According to a new flash alert from email security experts, this bureau does not exist and appears to be a blend of the Department of Transportation and the Bureau of Transportation Statistics. The motive behind targeting this specific sector remains unclear, although the Cofense alert warns that the campaign's tactics could easily be adapted to target other industries.
During its active phase, the phishing campaign was remarkably successful in reaching its targets, raising concerns among security professionals. This operation emerged shortly after the LockBit takedown in February. Rhadamanthys 5.0, the latest iteration of this malware, was enhanced earlier in 2024 to improve its evasion techniques and data exfiltration capabilities.
The phishing emails deployed in this campaign are meticulously crafted to deceive recipients. The attackers employ various provocative subject lines, such as "Notification: Incident Involving Your Vehicle" and "Attention Needed: Your Vehicle's Collision," to grab attention and evoke emotional responses.
Cofense researchers noted the unusual tactic of using vehicle incidents as a lure, highlighting the threat actors' efforts to exploit recipients' emotions. Each email is uniquely crafted, often claiming to notify employees about a purported car incident through official channels, potential legal repercussions, or even warnings about involving law enforcement.
This sophisticated phishing campaign underscores the evolving tactics of cybercriminals and the importance of robust email security measures to mitigate such threats.