Transportation and logistics companies in North America are being targeted by a new phishing campaign that delivers a variety of information stealers and remote access trojans (RATs).
The cluster of activity, according to Proofpoint, uses compromised legitimate email accounts belonging to trucking and transportation companies to inject malicious content into existing email conversations.
15 compromised email accounts used in the campaign were identified. It is currently unclear how these accounts were hacked in the first place or who is behind the attacks.
“Activities occurring between May and July 2024 primarily featured Lumma Stealer, StealC, or NetSupport,” an enterprise security firm said in an analysis published on Tuesday.
“In August 2024, the attacker changed tactics, using new infrastructure and a new delivery technique, and adding payloads to deliver DanaBot and Arechclient2.”
Attack chains involve sending messages with Internet Shortcut (.URL) or Google Drive URL attachments that lead to a .URL file that, when executed, uses a Server Message Block (SMB) to deliver a next-stage payload containing the malware. from remote sharing.
Some options of the company observed in August 2024 also anchored on a recently popular technique called Click Fix to trick victims into downloading the DanaBot malware under the guise of solving a problem with displaying document content in a web browser.
Specifically, this involves encouraging users to copy and paste a Base64-encoded PowerShell script into a terminal, thereby starting the infection process.
“These companies mimicked Samsara, AMB Logistic and Astra TMS, software that would only be used in transportation and fleet management,” Proofpoint said.
“The specific targeting and compromises of organizations in the transportation and logistics sector, as well as the use of decoys that mimic software specifically designed for freight operations and fleet management, indicate that the actor likely conducts research on the target company’s operations before sending the campaigns.”
The disclosure comes amid the emergence of various strains of malware such as An evil kidnapper, BLX Hijacker (aka XLABB Stealer), Emansrepo Stealer, Gomora’s kidnapper, Luxury, Poseidon, PowerShell keylogger, QWERTY hijacker, Taliban Stealer, X-FILES Stealeras well as a duplicate variant associated with CryptBot Another stupid theft (JASS).
It also follows the appearance of a new version of RomCom RAT, the successor GORAHIKAVY (aka RomCom 4.0) codenamed SnipBot, which spreads via fake links embedded in phishing emails. Some aspects of the campaign were earlier highlighted by the Emergency Response Team of Ukraine (CERT-UA) in July 2024.
“SnipBot gives an attacker the ability to execute commands and download additional modules to a victim’s system,” Palo Alto Networks Unit 42 researchers Yaran Samuel and Dominic Reichel said.
“The initial payload is always either an executable downloader disguised as a PDF file or a real PDF file sent to the victim in an email that leads to the executable.”
While RomCom-infected systems have also seen ransomware deployments in the past, the cybersecurity company noted the absence of such behavior, raising the possibility that the threat behind the Tropical Scorpius (aka Void Rabisu) malware , moved from pure financial gain to espionage.
