1 October 2024, Tue |
12:31 AM
Proofpoint researchers are tracking a surge of cyber activity aimed at transportation and logistics companies in North America, with attackers deploying a range of malware payloads. The threat actors are leveraging compromised legitimate email accounts, predominantly belonging to transportation and shipping firms. These compromised accounts are then used to inject malicious content into existing conversations, making the messages appear legitimate.
Since May 2024, Proofpoint has identified at least 15 compromised email accounts linked to this campaign. The activity, observed between May and July 2024, delivered malware such as Lumma Stealer, StealC, and NetSupport. However, in August 2024, the threat actor adopted new tactics, including new infrastructure and a delivery technique that introduced DanaBot and Arechclient2.
Most campaigns involve emails with Google Drive URLs leading to an internet shortcut (.URL) file, or a .URL file attached directly to the email. If executed, the malware uses SMB to access a remote executable, which installs the malware. The campaigns generally target a small number of customers, with less than 20 messages per campaign, all within the North American transportation and logistics sector.
In August 2024, the actor introduced a new malware delivery method known as the “ClickFix” technique. This involves emails containing URLs that direct users through multiple dialogue boxes, eventually leading them to execute a Base64-encoded PowerShell script. This technique was used to install the DanaBot malware through an MSI file.
Threat actors impersonated well-known fleet management software, such as Samsara, AMB Logistic, and Astra TMS, making the attacks more convincing. Proofpoint has observed similar tactics in the past, but this campaign’s focus on transportation-specific software suggests that the attackers are conducting research into their targets’ operations.
While Proofpoint has not definitively attributed these campaigns to a specific threat actor, they believe the infrastructure used is likely purchased from third-party providers. The attackers’ tactics align with financially motivated cybercriminal behavior, utilizing social engineering techniques and commonly available malware rather than bespoke or complex payloads.
Why This Matters:
As attackers become more sophisticated in their social engineering tactics, using legitimate compromised email accounts raises the likelihood of recipients unknowingly installing malware. The specific targeting of transportation and logistics companies, coupled with software impersonations, underscores the importance of vigilance within these industries.
Proofpoint advises users to exercise caution with emails from known senders that deviate from normal activity, particularly when they contain unusual links or file types. In suspicious cases, users should verify the email’s authenticity by contacting the sender through alternative means.
