back to article Weeks before US oil contract prices went negative, a spear-phishing crew went after oil firms. What did they get?

As American crude oil crashed on Monday, leading to the bizarre situation of a negative futures contract price, our attention was drawn to a spear-phishing campaign against organizations involved in global oil production. The folks at Bitdefender today detailed a targeted espionage mission against oil and energy companies …

  1. Mike 137 Silver badge

    "Bitdefender has provided a list of file hashes to block and indicators of compromise"

    This is why such malware reaches the desktop. Change one byte and bypass the AV.

    By now, we should have developed a rather more sophisticated approach given that malware has been a highly significant threat for almost four decades.

    1. Mark192 Bronze badge

      Re: "Bitdefender has provided a list of file hashes to block and indicators of compromise"

      I assumed hashes were just one of several measures used by AV programs.

    2. tip pc Silver badge

      Re: "Bitdefender has provided a list of file hashes to block and indicators of compromise"

      file hashes are much faster to scan for.

      Also how does the virus change its size once deployed, does it recompile itself? Most virus's will stay the same size unless updated to a new version, a file hash is tiny and many hashes can be searched for quickly. Its far easier to look for a file hash than rip apart every file looking to understand how it works and determine if its a virus. Much quicker to do that once, calculate the hash for bad files and tell all your clients to look for the hash.

      Have you built some new tool Mike 137 that does a better quicker job?

      1. Jimmy2Cows Silver badge

        Re: "Bitdefender has provided a list of file hashes to block and indicators of compromise"

        Doesn't need to recompile itself, just needs a data section in its file(s) which can be randomly overwritten each time the virus executes. Size doesn't change but the content does. That will change its hash upon every execution, and as long as no functional code is overwritten there will be no impact on running the virus code.

        1. Doctor Syntax Silver badge

          Re: "Bitdefender has provided a list of file hashes to block and indicators of compromise"

          I'd hope AV will take that into account and treat is as an indicator of possibly suspect activity.

  2. HildyJ Silver badge
    Pirate

    Who wasn't targeted

    Even though Yandex doesn't equal Russia, the fact that Russia was not targeted puts them under suspicion. Ditto Saudi Arabia. Knowing what other countries are planning would be a great advantage going into the OPEC meetings. I would also not rule out the NSA.

    1. Pascal

      Re: Who wasn't targeted

      Using Yandex and not targeting russian companies would also be the simplest misdirect. or a misdirected misdirect. do they know that you know that they know that you know?

      1. Claptrap314 Silver badge

        Re: Who wasn't targeted

        I'm just getting started!

    2. Roland6 Silver badge

      Re: Who wasn't targeted

      Ditto the USA...

      Personally, if I were a hacker residing in the US sphere of influence, I can see how a Russian mailbox could be useful in making it more difficult for the spooks to follow my tracks.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020