Sep 25, 2024
Ravie Lakshmanan
Email Security / Threat Intelligence
Transportation and logistics companies in North America are the target of a new phishing campaign that delivers a variety of information stealers and remote access trojans (RATs).
The activity cluster, according to Proofpoint, uses compromised legitimate email accounts belonging to transportation and shipping companies to inject malicious content into existing email conversations.
As many as 15 breached email accounts have been identified as part of the campaign. The method of infiltrating these accounts or the identity of the attackers remains unclear.
“Activity that took place from May to July 2024 primarily delivered Lumma Stealer, StealC, or NetSupport,” mentioned the enterprise security firm in an analysis published Tuesday.
“In August 2024, the threat actor changed tactics by using new infrastructure and a new delivery technique, as well as adding payloads to distribute DanaBot and Arechclient2.”
The attack chains involve sending messages with internet shortcut (.URL) attachments or Google Drive URLs leading to a .URL file that, when launched, fetches the next-stage payload containing the malware from a remote share using Server Message Block (SMB).
Some variants of the campaign observed in August 2024 have also utilized a technique called ClickFix to deceive victims into downloading the DanaBot malware under the guise of addressing an issue with displaying document content in the web browser.
Specifically, this involves instructing users to copy and paste a Base64-encoded PowerShell script into the terminal, triggering the infection process.
“These campaigns have impersonated Samsara, AMB Logistic, and Astra TMS – software that would only be used in transport and fleet operations management,” Proofpoint highlighted.
“The targeted organizations within transportation and logistics, along with the use of lures impersonating software designed for freight operations and fleet management, suggest that the attacker likely conducts research into the targeted company’s operations before launching campaigns.”
The disclosure comes at a time when various stealer malware strains like Angry Stealer, BLX Stealer, Emansrepo Stealer, Gomorrah Stealer, Luxy, Poseidon, PowerShell Keylogger, QWERTY Stealer, Taliban Stealer, X-FILES Stealer, and a CryptBot-related variant YASS have emerged.
Additionally, a new version of the RomCom RAT, known as SnipBot, has surfaced, potentially indicating a shift from financial gain to espionage.
Found this article interesting? Follow us on Twitter and LinkedIn for more exclusive content.