Cyberattacks on Transportation Firms Using Lumma Stealer and NetSupport Malware
In North America, transportation and shipment firms are currently under attack through a recent phishing operation that distributes various data-stealing tools and remote access trojans (RATs).
This cluster of malicious activities, as per Proofpoint, utilizes compromised legitimate email accounts linked with transportation and freight companies to introduce harmful content into ongoing email discussions.
About 15 breached email accounts have been pinpointed as being part of this operation. It remains uncertain how these accounts were initially breached or who is responsible for these cyber assaults.
“From May to July 2024, the operations predominantly deployed Lumma Stealer, StealC, or NetSupport,” revealed the cybersecurity firm stated in an analysis released on Tuesday.
“By August 2024, the threat actor shifted tactics by utilizing fresh infrastructure and a new distribution method, while also incorporating payloads for executing DanaBot and Arechclient2.”
The attack sequences involve sending messages with internet shortcut (.URL) attachments or Google Drive URLs pointing to a .URL file which, upon activation, leverages the Server Message Block (SMB) to retrieve the subsequent-stage payload containing the malware from a remote location.
In August 2024, some variations of the campaign were noted adopting a recent popular technique known as ClickFix to deceive victims into downloading the DanaBot malware under the guise of resolving an issue with viewing document content in the web browser.
More specifically, this involves persuading users to copy and paste a Base64-encoded PowerShell script into the terminal, thus initiating the infection procedure.
“These campaigns have impersonated Samsara, AMB Logistic, and Astra TMS – applications typically utilized in transportation and fleet operations management,” noted Proofpoint.
“The tailored targeting and breaches of transportation and freight management organizations, alongside the usage of baits mimicking software designed specifically for freight operations and fleet management, suggest that the threat actor likely performs targeted research into the operational practices of these entities before launching campaigns.”
The disclosure coincides with the rise of various theft-oriented malware strains like Angry Stealer, BLX Stealer (aka XLABB Stealer), Emansrepo Stealer, Gomorrah Stealer, Luxy, Poseidon, PowerShell Keylogger, QWERTY Stealer, Taliban Stealer, X-FILES Stealer, and a variant associated with CryptBot named Yet Another Silly Stealer (YASS).
This follows a new iteration of the RomCom RAT, a successor to PEAPOD (known as RomCom 4.0), codenamed SnipBot that is disseminated through fraudulent links embedded within phishing emails. Some aspects of this operation were previously brought to light by the Computer Emergency Response Team of Ukraine (CERT-UA) in July 2024.
“SnipBot provides the attacker with the ability to issue commands and download extra modules onto the victim’s system,” as per researchers Yaron Samuel and Dominik Reichel from Palo Alto Networks Unit 42 stated.
“The initial payload either appears as an executable downloader masquerading as a PDF file or a legitimate PDF file forwarded to the victim via email that eventually leads to an executable file.”
The updated version boasts an enhanced collection of 27 commands, permitting operators to list directory paths, execute commands using cmd.exe, upload and download files, retrieve a list of running processes, configure a SOCKS proxy, and utilize 7-Zip to construct an archive from a specified path provided by the attacker.
Previously, systems contaminated with RomCom experienced instances of ransomware deployment; however, the cybersecurity company highlighted the absence of this behavior, hinting at the possibility that the threat actor orchestrating the malware, Tropical Scorpius (also known as Void Rabisu), may have transitioned from pursuing solely financial gains to espionage.
About Author
