Check Point uncovered a months-long targeted operation against German automotive entities, using ISO/HTA delivery to install MaaS info-stealers such as AZORult, BitRAT, and Raccoon. The attackers registered dozens of lookalike domains impersonating German car businesses to lure targets and host the malware infrastructure. #AZORult #BitRAT #Raccoon #Bornagroup #Turbocell #GermanAutoIndustry
Keypoints
- Dedicated operation targeting German car dealerships and manufacturers with a focus on the auto industry.
- Extensive lookalike infrastructure mimicking German automotive businesses to support phishing and infection chains.
- Phishing emails in German containing ISO attachments labeled as vehicle invoices to entice recipients.
- Infection chain uses HTA/Mshta to run embedded scripts, enabling download and execution of MaaS info-stealers.
- Infra includes Iranian-hosted sites (e.g., bornagroup.ir) and lookalike domains tied to German auto-related entities.
- Dropped payloads are MaaS info-stealers (AZORult, BitRAT, Raccoon) delivered via multiple hosting sites.
- Campaign spans from at least July 2021, with potential Iranian links and intentions beyond simple data theft.
MITRE Techniques
- [T1566.001] Phishing β Spearphishing Attachment β The email was designed to look as if it had been sent from a car dealership, autohous[.]lips, with an ISO attachment labeled βvehicle invoice.β
- [T1218.005] Mshta β Mshta.exe used to execute HTA files that display a German purchase contract while running embedded code.
- [T1059.005] VBScript β The HTA file executes VBScript code (some versions obfuscated) during the infection chain.
- [T1059.001] PowerShell β PowerShell code is used to download and execute payloads and to modify behavior in later stages.
- [T1112] Modify Registry β PowerShell code is used to change registry values to enable Office macros and run attachments in non-protected mode.
- [T1105] Ingress Tool Transfer β The payloads were downloaded and executed as MaaS info-stealers (AZORult, BitRAT, Raccoon) from remote hosts.
Indicators of Compromise
- [Domain] Lookalike phishing domains β autohous-lips[.]de, fiat-amenn[.]de, and 37 more domains (impersonating German auto businesses).
- [Domain] Malware hosting and related infrastructure β bornagroup[.]ir, Turbocell[.]ir (Iranian-hosted sites used to host payloads).
- [File hash] 328a984d512e3083df9d93b427b6967c β a-p.exe; [File hash] 10aa6a55a4f15064eb4a88278c41adbf β az.exe; additional hashes exist for other payloads (e.g., d.exe, s.exe).
- [File name] a-p.exe, az.exe, d-clouded.exe β executables used as initial MaaS info-stealers in the campaign.
Read more: https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/