Summary
Wapack Labs observed malicious email trending on CTAC which detected an uptick in Darwish Trading Company (DTC) spoofing. Hackers pretend to be from this Qatari company as it has a wide range of business activities to include servicing the oil and gas sector. During 29 March 2019 – 3 April 2019, these samples were seen delivering Lokibot and PonyLoader malware.
Details
Figure 1. Malicious .doc attachment in an email spoofing Darwish Trading Company
The Darwish Trading Company (DTC) has a wide range of business activities to include oil and gas services.[1]
Wapack Labs detected an uptick of malicious emails spoofing DTC during 29 March 2019 – 3 April 2019. They were delivering the attached archive named, “DARWISH TRADING PROFILE.zip” with a malicious Windows executable. The most recent sample that was first seen on 01 April 2019, was delivering PonyStealer malware.[2] Earlier, a sample first seen on 29 March 2019 was delivering Lokibot malware.[3]
Hacker attacks utilizing the DTC name were observed over a long period of time. In 2018, hackers spoofed different DTC personas for the deliveries (Table 1):
Table 1. Examples of malicious emails pretending to be from Darwish Trading Company
From: | Description [original spelling] | Dates |
Kassem Ahmed <purchase@darwish-tdg.qa> | Kassem Ahmed HEAD OF PURCHASING | 2018-05-03 – 2019-03-31 |
Kassem Ahmed <jas.321@att.net> | Kassem Ahmed HEAD OF PURCHASING | 2018-09-10 – 2018-09-14 |
Md Moin <oshako@hydromet.gov.gy> | MR. KASSEM AHMED , THE PURCHASE MANAGER FOR OVERSEAS BUSINESS UNIT OF DARWISH TRADING COMPANY DOHA, QATAR.
MD Moin, HEAD OF PURCHASING DARWISH TRADING COMPANY DOHA, QATAR. EMAIL: PURCHASE@DARWISH-TDG.QA | 2018-07-24 – 2018-08-17 |
"jessica peters"<darwish-td.qa@outlook.com> | Jessica peters from darwish trading company. Purchase Manager. E-mail:darwish-td.qa@outlook.com | 2018-05-08 |
"jessica peters"<sales04@gmail.com> | Jessica peters from darwish trading company. Purchase Manager. E-mail:darwish-td.qa@outlook.com | 2018-05-17 – 2018-05-18 |
Alice Liu <ahad@kallolgroup.com>
| Ms. Alice Liu , the purchase manager for overseas business unit of DARWISH TRADING COMPANY DOHA, QATAR. Email: purchase@darwish-tdg.qa | 2018-09-12 – 2018-09-13 |
" finance@alkadri-exp.com " <info@arushagemshow.com>
| Rajan Thomas. Darwish Trading Co. Finance Div. r.thomas@darwish-tdg.qa | 2018-04-20 |
Conclusions
Since 2018, hackers have impersonated DTC employees in Business Email Compromise attacks. Companies should train and protect their employees as not to fall victims of the malware attached.
Prepared by: Yury Polozov
[1]hxxp://www.darwish-tdg[.]qa
[2]SHA-256 d737fb69f993c8589eeb94997b5cb2a13f6e625d107614a54c03da8ff0c31d0e
[3]SHA-256 20bb05f8f199fe33a879f9fefd4c3c314c5167eb8f274d8adcae5055e17fcc47
