Actor Uses Compromised Accounts, Customized Social Engineering to Target Transport and Logistics Firms with Malware

What happened 

Proofpoint researchers are tracking a cluster of activity targeting transportation and logistics companies in North America to deliver a variety of different malware payloads.  

Notably, this activity leverages compromised legitimate email accounts that belong to transportation and shipping companies. At this time, it is unclear how the actor achieves access to the compromised accounts. The actor then injects malicious content into existing conversations within the account’s inbox, which makes the messages look legitimate. Proofpoint has identified at least 15 compromised email accounts used during these campaigns. 

Researchers have been tracking this activity cluster since late May 2024. Activity which occurred from May to July 2024 predominately delivered Lumma Stealer, StealC, or NetSupport. In August 2024, the threat actor changed tactics by employing new infrastructure and a new delivery technique, as well as adding payloads to deliver DanaBot and Arechclient2. 

Most campaigns use messages with Google Drive URLs leading to an internet shortcut (.URL) file, or a .URL file attached directly to the message. If executed, it uses SMB to access an executable from the remote share, which installs the malware.   

Figure 1

Actor responds from a compromised account to a request within an ongoing thread. 

Figure 2

Actor using a compromised account to post a malicious link to an ongoing thread. 

Campaigns typically include less than 20 messages and impact a small number of customers, all in the same transport/logistics industries in North America.  

In August 2024, the actor also began using the “ClickFix” technique to deliver their malware. The messages contained URLs which directed users through various dialogue boxes leading them to copy, paste, and run a Base64 encoded PowerShell script contained within the HTML, a technique called “ClickFix.” The scripts led to an MSI file used to load DanaBot.   

Figure 3

Initial “ClickFix” dialogue box in which clicking the “Fix it” button copies a Base64 encoded PowerShell script. 

Figure 4

Final “ClickFix” dialogue box with instructions to open Windows PowerShell and paste and run the PowerShell script. 

While Proofpoint has observed this technique leveraged by other threat actors impersonating Word or Chrome updates, these campaigns have impersonated Samsara, AMB Logistic, and Astra TMS – software that would only be used in transport and fleet operations management.   

Attribution  

Proofpoint does not currently attribute this activity cluster to an identified threat actor (TA). Similar techniques and infrastructure associated with ClickFix and the combination of Google Drive URLs, .URL files, and SMB have been observed used by other threat actors and campaigns. Proofpoint researchers assess that the threat actor discussed in this Security Brief is purchasing this infrastructure from third party providers.   

Based on the observed initial access activity, malware delivery, and infrastructure, Proofpoint assesses with moderate confidence the activity aligns with financially motivated, cybercriminal objectives. 

Why it matters  

Threat actors are increasingly tailoring lures to be more realistic to entice recipients to click on a link or download attachments. Compromising legitimate email accounts and sending malicious links and attachments to an existing email conversation achieves this goal and raises the risk that recipients will install malware.   

The specific targeting and compromises of organizations within transportation and logistics, as well as the use of lures that impersonate software specifically designed for freight operations and fleet management, indicates that the actor likely conducts research into the targeted company’s operations before sending campaigns. The language used in the lures and content also indicate familiarity with typical business workflows.  

This activity aligns with a trend Proofpoint researchers have observed across the cybercriminal threat landscape. Threat actors are developing more sophisticated social engineering and initial access techniques across the delivery attack chain while relying more on commodity malware rather than complex and unique malware payloads.  

Members of the transportation/logistics industry, and users in general, should exercise caution with emails coming from known senders which deviate from normal activity or content, particularly when combined with unusual looking links and file types such as described in this Security Brief. In other words, emails that do not look or feel right and trigger a sixth sense that something is off.   

When encountering such activity users should contact the sender using another means to confirm their authenticity. 

Indicators of compromise 

Indicator Description First Observed 
199d6f70f10c259ee09e99e6f1d7f127426999a0ed20536f2662842cd12b5431 SHA256 
.URL file 
2024-05-22 
ac49ff207e319f79bbd9c80d044d621920d1340f4c53e5e4da39b2a0c758634e SHA256 
.URL file 
2024-07-01 
e7526dadae6b589b6a31f1f7e2e528ed1c9edd9f3d1ca88f0ece0dee349d3842 SHA256 
.URL file 
2024-07-12 
e5ed1a273faf5174dbd8db9d6d3657b81dc2cbc2e0af28cfe76f41c3d2f2fc37 SHA256 
.URL file 
2024-07-24 
f8b12e6d02ea5914e01f95b5665b3a735acfbb9ee6ae27b004af37547bc11e7f  SHA256 
.URL file 
2024-08-05 
0931217eb498b677e2558fd30d92169cc824914c2df68cfbcff4f642600e2cc2  SHA256 
.URL file 
2024-08-24 
582c69b52d68b513f2a137bbf14704df7d787b06752333fc31066669cd663d04  SHA256 
.URL file 
2024-09-06 
hxxp://89[.]23[.]98[.]98/file/14242.exe URL Payload 2024-05-22 
hxxp://89[.]23[.]98[.]98/file/ratecon.exe URL Payload 2024-07-01 
hxxp://89[.]23[.]98[.]98/file/rate_confirmation.vbs URL Payload 2024-07-12 
hxxp://89[.]23[.]98[.]98/file/Rateconfirm.exe URL Payload 2024-07-24 
hxxp://89[.]23[.]98[.]98/file/carrier.exe URL Payload 2024-08-05 
hxxp://185[.]217[.]197[.]84/file/remittance.exe URL Payload 2024-08-24 
hxxp://185[.]217[.]197[.]84/file/information_package.exe URL Payload 2024-09-06 
hxxps://live-samsaratrucking[.]com/true-tracking-32934.html URL ClickFix 2024-08-19 
hxxp://ambcrrm[.]com/  URL ClickFix 2024-09-03 
hxxps://ambccm[.]com/Astra/index.html URL ClickFix 2024-09-10 
hxxps://idessit[.]com/fn.msi  URL Danabot Payload 2024-08-19 
hxxps://ambccm[.]com/3.msi URL Danabot Payload 2024-09-05  
hxxps://ambcrrm[.]com/3.msi  URL Danabot Payload 2024-09-03 
957fe77d04e04ff69fdaff8ef60ac0de24c9eb5e6186b3187460eac6be561f5d  SHA256 14242.exe Suspected Lumma 2024-06-14 
2436fe37d25712b68b2e1a9805825bcf5073efb91588c1b5193ba446d1edd319  SHA256 rate_confirmation.vbs Lumma  2024-07-12  
8fe96fb9d820db0072fe0423c13d2d05f81a9cf0fdd6f4e2ee78dc4ca1d37618  SHA256 ratecon.exe StealC/NetSupport 2024-07-24 
cdf160c63f61ae834670fdaf040411511dc2fc0246292603e7aa8cd742d78013  SHA256 Rateconfirm.exe StealC  2024-07-25 
d45b6b04ac18ef566ac0ecdaf6a1f73d1c3164a845b83e0899c66c608154b93d SHA256 carrier.exe Arechclient2 2024-08-05 
fddacfe9e490250e62f7f30b944fcbe122e87547d01c4a906401049304c395f7  SHA256 fn.msi Danabot 2024-08-19 
163dccdcaa7fdde864573f2aabe0b9cb3fdcdc6785f422f5c2ee71ae6c0e413a  SHA256 remittance.exe 2024-08-24 
37f328fc723b2ddf0e7a20b57257cdb29fe9286cb4ffeaac9253cb3b86520235  SHA256 3.msi Danabot 2024-09-03 
1a002631b9b2e685aeb51e8b6f4409daf9bc0159cfd54ef9ad3ba69d651ac2a3 SHA256 information_package.exe Lumma Stealer 2024-09-06 
b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86 SHA256 information_package.exe StealC/NetSupport  2024-09-10 

Don’t Stop Here

More To Explore

favicon__1_ removebg-png

BE THE FIRST TO KNOW

Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

No Spam, We Promise

favicon__1_ removebg-png

BE THE FIRST TO KNOW

Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

No Spam, We Promise