Hackers Spoof Qatari Darwish Trading Company

Summary

Wapack Labs observed malicious email trending on CTAC which detected an uptick in Darwish Trading Company (DTC) spoofing.  Hackers pretend to be from this Qatari company as it has a wide range of business activities to include servicing the oil and gas sector.  During 29 March 2019 – 3 April 2019, these samples were seen delivering Lokibot and PonyLoader malware.

Details

Figure 1. Malicious .doc attachment in an email spoofing Darwish Trading Company

The Darwish Trading Company (DTC) has a wide range of business activities to include oil and gas services.[1]

Wapack Labs detected an uptick of malicious emails spoofing DTC during 29 March 2019 – 3 April 2019.  They were delivering the attached archive named, “DARWISH TRADING PROFILE.zip” with a malicious Windows executable.  The most recent sample that was first seen on 01 April 2019, was delivering PonyStealer malware.[2]  Earlier, a sample first seen on 29 March 2019 was delivering Lokibot malware.[3]

Hacker attacks utilizing the DTC name were observed over a long period of time.  In 2018, hackers spoofed different DTC personas for the deliveries (Table 1):

Table 1. Examples of malicious emails pretending to be from Darwish Trading Company

From:

Description [original spelling]

Dates

Kassem Ahmed <purchase@darwish-tdg.qa>

Kassem Ahmed

HEAD OF PURCHASING

2018-05-03 – 2019-03-31

Kassem Ahmed <jas.321@att.net>

Kassem Ahmed

HEAD OF PURCHASING

2018-09-10 – 2018-09-14

Md Moin <oshako@hydromet.gov.gy>

MR. KASSEM AHMED , THE PURCHASE MANAGER

 FOR OVERSEAS BUSINESS UNIT OF DARWISH TRADING COMPANY DOHA, QATAR.

 

 MD Moin, HEAD OF PURCHASING DARWISH TRADING COMPANY DOHA, QATAR. EMAIL: PURCHASE@DARWISH-TDG.QA

2018-07-24 – 2018-08-17

"jessica peters"<darwish-td.qa@outlook.com>

Jessica peters from darwish trading company.

Purchase Manager.

E-mail:darwish-td.qa@outlook.com

2018-05-08

"jessica peters"<sales04@gmail.com>

Jessica peters from darwish trading company.

Purchase Manager.

E-mail:darwish-td.qa@outlook.com

2018-05-17 – 2018-05-18

Alice Liu <ahad@kallolgroup.com>

 

Ms. Alice Liu , the purchase manager for overseas business unit of DARWISH TRADING COMPANY DOHA, QATAR. Email: purchase@darwish-tdg.qa

2018-09-12 – 2018-09-13

" finance@alkadri-exp.com " <info@arushagemshow.com>

 

Rajan Thomas.

Darwish Trading Co.

Finance Div.

r.thomas@darwish-tdg.qa

2018-04-20

Conclusions

Since 2018, hackers have impersonated DTC employees in Business Email Compromise attacks. Companies should train and protect their employees as not to fall victims of the malware attached.

 

Prepared by:  Yury Polozov

 

[1]hxxp://www.darwish-tdg[.]qa

[2]SHA-256 d737fb69f993c8589eeb94997b5cb2a13f6e625d107614a54c03da8ff0c31d0e

[3]SHA-256 20bb05f8f199fe33a879f9fefd4c3c314c5167eb8f274d8adcae5055e17fcc47