What happened
Proofpoint researchers are tracking a cluster of activity targeting transportation and logistics companies in North America to deliver a variety of different malware payloads.
Notably, this activity leverages compromised legitimate email accounts that belong to transportation and shipping companies. At this time, it is unclear how the actor achieves access to the compromised accounts. The actor then injects malicious content into existing conversations within the account’s inbox, which makes the messages look legitimate. Proofpoint has identified at least 15 compromised email accounts used during these campaigns.
Researchers have been tracking this activity cluster since late May 2024. Activity which occurred from May to July 2024 predominately delivered Lumma Stealer, StealC, or NetSupport. In August 2024, the threat actor changed tactics by employing new infrastructure and a new delivery technique, as well as adding payloads to deliver DanaBot and Arechclient2.
Most campaigns use messages with Google Drive URLs leading to an internet shortcut (.URL) file, or a .URL file attached directly to the message. If executed, it uses SMB to access an executable from the remote share, which installs the malware.
Actor responds from a compromised account to a request within an ongoing thread.
Actor using a compromised account to post a malicious link to an ongoing thread.
Campaigns typically include less than 20 messages and impact a small number of customers, all in the same transport/logistics industries in North America.
In August 2024, the actor also began using the “ClickFix” technique to deliver their malware. The messages contained URLs which directed users through various dialogue boxes leading them to copy, paste, and run a Base64 encoded PowerShell script contained within the HTML, a technique called "ClickFix." The scripts led to an MSI file used to load DanaBot.
Initial “ClickFix” dialogue box in which clicking the “Fix it” button copies a Base64 encoded PowerShell script.
Final “ClickFix” dialogue box with instructions to open Windows PowerShell and paste and run the PowerShell script.
While Proofpoint has observed this technique leveraged by other threat actors impersonating Word or Chrome updates, these campaigns have impersonated Samsara, AMB Logistic, and Astra TMS – software that would only be used in transport and fleet operations management.
Attribution
Proofpoint does not currently attribute this activity cluster to an identified threat actor (TA). Similar techniques and infrastructure associated with ClickFix and the combination of Google Drive URLs, .URL files, and SMB have been observed used by other threat actors and campaigns. Proofpoint researchers assess that the threat actor discussed in this Security Brief is purchasing this infrastructure from third party providers.
Based on the observed initial access activity, malware delivery, and infrastructure, Proofpoint assesses with moderate confidence the activity aligns with financially motivated, cybercriminal objectives.
Why it matters
Threat actors are increasingly tailoring lures to be more realistic to entice recipients to click on a link or download attachments. Compromising legitimate email accounts and sending malicious links and attachments to an existing email conversation achieves this goal and raises the risk that recipients will install malware.
The specific targeting and compromises of organizations within transportation and logistics, as well as the use of lures that impersonate software specifically designed for freight operations and fleet management, indicates that the actor likely conducts research into the targeted company’s operations before sending campaigns. The language used in the lures and content also indicate familiarity with typical business workflows.
This activity aligns with a trend Proofpoint researchers have observed across the cybercriminal threat landscape. Threat actors are developing more sophisticated social engineering and initial access techniques across the delivery attack chain while relying more on commodity malware rather than complex and unique malware payloads.
Members of the transportation/logistics industry, and users in general, should exercise caution with emails coming from known senders which deviate from normal activity or content, particularly when combined with unusual looking links and file types such as described in this Security Brief. In other words, emails that do not look or feel right and trigger a sixth sense that something is off.
When encountering such activity users should contact the sender using another means to confirm their authenticity.
Indicators of compromise
|
Indicator |
Description |
First Observed |
|
199d6f70f10c259ee09e99e6f1d7f127426999a0ed20536f2662842cd12b5431 |
SHA256 |
2024-05-22 |
|
ac49ff207e319f79bbd9c80d044d621920d1340f4c53e5e4da39b2a0c758634e |
SHA256 |
2024-07-01 |
|
e7526dadae6b589b6a31f1f7e2e528ed1c9edd9f3d1ca88f0ece0dee349d3842 |
SHA256 |
2024-07-12 |
|
e5ed1a273faf5174dbd8db9d6d3657b81dc2cbc2e0af28cfe76f41c3d2f2fc37 |
SHA256 |
2024-07-24 |
|
f8b12e6d02ea5914e01f95b5665b3a735acfbb9ee6ae27b004af37547bc11e7f
|
SHA256 |
2024-08-05 |
|
0931217eb498b677e2558fd30d92169cc824914c2df68cfbcff4f642600e2cc2
|
SHA256 |
2024-08-24 |
|
582c69b52d68b513f2a137bbf14704df7d787b06752333fc31066669cd663d04
|
SHA256 |
2024-09-06 |
|
hxxp://89[.]23[.]98[.]98/file/14242.exe |
URL Payload |
2024-05-22 |
|
hxxp://89[.]23[.]98[.]98/file/ratecon.exe |
URL Payload |
2024-07-01 |
|
hxxp://89[.]23[.]98[.]98/file/rate_confirmation.vbs |
URL Payload |
2024-07-12 |
|
hxxp://89[.]23[.]98[.]98/file/Rateconfirm.exe |
URL Payload |
2024-07-24 |
|
hxxp://89[.]23[.]98[.]98/file/carrier.exe |
URL Payload |
2024-08-05 |
|
hxxp://185[.]217[.]197[.]84/file/remittance.exe |
URL Payload |
2024-08-24 |
|
hxxp://185[.]217[.]197[.]84/file/information_package.exe |
URL Payload |
2024-09-06 |
|
hxxps://live-samsaratrucking[.]com/true-tracking-32934.html |
URL ClickFix |
2024-08-19 |
|
hxxp://ambcrrm[.]com/
|
URL ClickFix |
2024-09-03 |
|
hxxps://ambccm[.]com/Astra/index.html |
URL ClickFix |
2024-09-10 |
|
hxxps://idessit[.]com/fn.msi
|
URL Danabot Payload |
2024-08-19 |
|
hxxps://ambccm[.]com/3.msi |
URL Danabot Payload |
2024-09-05
|
|
hxxps://ambcrrm[.]com/3.msi
|
URL Danabot Payload |
2024-09-03 |
|
957fe77d04e04ff69fdaff8ef60ac0de24c9eb5e6186b3187460eac6be561f5d
|
SHA256 14242.exe Suspected Lumma |
2024-06-14 |
|
2436fe37d25712b68b2e1a9805825bcf5073efb91588c1b5193ba446d1edd319
|
SHA256 rate_confirmation.vbs Lumma |
2024-07-12
|
|
8fe96fb9d820db0072fe0423c13d2d05f81a9cf0fdd6f4e2ee78dc4ca1d37618
|
SHA256 ratecon.exe StealC/NetSupport |
2024-07-24 |
|
cdf160c63f61ae834670fdaf040411511dc2fc0246292603e7aa8cd742d78013
|
SHA256 Rateconfirm.exe StealC |
2024-07-25 |
|
d45b6b04ac18ef566ac0ecdaf6a1f73d1c3164a845b83e0899c66c608154b93d |
SHA256 carrier.exe Arechclient2 |
2024-08-05 |
|
fddacfe9e490250e62f7f30b944fcbe122e87547d01c4a906401049304c395f7
|
SHA256 fn.msi Danabot |
2024-08-19 |
|
163dccdcaa7fdde864573f2aabe0b9cb3fdcdc6785f422f5c2ee71ae6c0e413a
|
SHA256 remittance.exe |
2024-08-24 |
|
37f328fc723b2ddf0e7a20b57257cdb29fe9286cb4ffeaac9253cb3b86520235
|
SHA256 3.msi Danabot |
2024-09-03 |
|
1a002631b9b2e685aeb51e8b6f4409daf9bc0159cfd54ef9ad3ba69d651ac2a3 |
SHA256 information_package.exe Lumma Stealer |
2024-09-06 |
|
b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86 |
SHA256 information_package.exe StealC/NetSupport |
2024-09-10 |
Analyst note: Proofpoint researchers identified overlap in infrastructure from this threat cluster with suspected UAC-0050 activity but does not assess the activity sets are related at this time.