Beginning in early May, Cisco TRAC has observed a number of malicious redirects that appear to be part of a watering-hole style attack targeting the Energy & Oil sector. The structure consists of several compromised domains, of which some play the role of redirector and others the role of malware host.
Observed watering-hole style domains containing the malicious iframe have included:
1) An oil and gas exploration firm with operations in Africa, Morocco, and Brazil;
2) A company that owns multiple hydro electric plants throughout the Czech Republic and Bulgaria;
3) A natural gas power station in the UK;
4) A gas distributor located in France;
5) An industrial supplier to the energy, nuclear and aerospace industries;
6) Various investment and capital firms that specialize in the energy sector.