Adversaries are breaching email accounts within transportation and shipping firms in North America to distribute a range of malware types, as per a report by Proofpoint.
Since May 2024, malicious actors have been inserting harmful content into ongoing discussions within the compromised mailboxes, to disseminate malware such as Arechclient2, DanaBot, Lumma Stealer, NetSupport, and StealC.
Most incursions involve Google Drive links or URL files as attachments, triggering a malicious payload to retrieve an executable from a remote location and deploy malware, states the cybersecurity organization in its report.
Approximately 15 email addresses have been compromised by attackers till now, with fewer than 20 messages typically being inserted aimed at a limited number of transportation and logistics entities.
Proofpoint noticed the threat actors impersonating software commonly utilized for transportation and fleet management operations, such as Samsara, AMB Logistic, and Astra TMS.
According to the cybersecurity company, while the tactics observed have been utilized by different adversaries in prior attacks, it is probable that the threat actor behind this scheme is “acquiring this infrastructure from third-party vendors”.
“Based on the identified initial access patterns, malware delivery methods, and infrastructure, Proofpoint states with a reasonable level of certainty that the activity aligns with financially-driven, cybercriminal motivations,” declares the organization.
Proofpoint suggests that businesses in the transportation and logistics sector exercise vigilance when receiving emails from familiar sources that exhibit irregular communication patterns and content; particularly if they contain dubious links and files.
The same advice extends to individuals operating in other sectors as well. If suspicious emails are encountered, users are advised to validate the sender’s credibility.
“Adversaries are evolving more sophisticated social engineering techniques and initial access strategies throughout the attack chain, while increasingly relying on off-the-shelf malware instead of intricate, unique malware payloads,” mentions Proofpoint.
Related: New ‘Hadooken’ Linux Malware Targets WebLogic Servers
Related: Self-Spreading PlugX USB Drive Malware Plagues Over 90k IP Addresses
Related: Thousands of Systems Turned Into Proxy Exit Nodes via Malware
Related: Dozens of ‘Luca Stealer’ Malware Samples Emerge After Source Code Made Public
About Author
