Transport Services Hit by Cyber Security Breaches Using Lumma Stealer and NetSupport Malware
Companies in the transportation and delivery industry in North America are experiencing a new phishing attack that deploys various data stealers and remote access trojans (RATs).
According to Proofpoint, this series of events involves the usage of compromised genuine email accounts owned by transportation and delivery firms to insert harmful elements into existing email discussions.
Up to 15 violated email accounts have been pinpointed in connection with this operation. It remains uncertain how these accounts were initially infiltrated or who is responsible for the assaults.
“Activities during the May to July 2024 timeline predominantly introduced Lumma Stealer, StealC, or NetSupport,” noted the enterprise cybersecurity provider in a report issued on Tuesday.
“By August 2024, the threat actor had altered their strategies by introducing new infrastructure, a new delivery method, and including payloads to deliver DanaBot and Arechclient2.”
These attack chains involve sending messages with internet shortcut (.URL) attachments or Google Drive URLs leading to a .URL file. When launched, it uses Server Message Block (SMB) to retrieve the subsequent-stage payload containing the malware from a remote location.
Some versions of this campaign observed in August 2024 have also adopted a newly popular method known as ClickFix to deceive victims into downloading the DanaBot malware under the guise of fixing a browser-based document display issue.
Specifically, this involves prompting users to copy and paste a Base64-encoded PowerShell script into the terminal, initiating the infection process.
“These initiatives have posed as Samsara, AMB Logistic, and Astra TMS – applications specific to transport and fleet management operations,” outlined Proofpoint.
“The choice to target and compromise organizations in the transportation and logistics sector, alongside the use of baits imitating software tailored for freight operations and fleet management, indicates that the perpetrator likely researches the operational practices of the targeted entity before launching their campaigns.”
This revelation coincides with the emergence of various data-stealing malware variants like Angry Stealer, BLX Stealer (also known as XLABB Stealer), Emansrepo Stealer, Gomorrah Stealer, Luxy, Poseidon, PowerShell Keylogger, QWERTY Stealer, Taliban Stealer, X-FILES Stealer, and a variant related to CryptBot dubbed Yet Another Silly Stealer (YASS).
This trend also coincides with the introduction of a revised edition of the RomCom RAT, a successor to PEAPOD (also known as RomCom 4.0) referred to as SnipBot, which is disseminated through false links embedded in phishing emails. Certain aspects of this campaign were previously highlighted by the Computer Emergency Response Team of Ukraine (CERT-UA) in July 2024.
“SnipBot enables the attacker to execute commands and download additional modules to a victim’s system,” affirmed researchers Yaron Samuel and Dominik Reichel from Palo Alto Networks Unit 42 in a statement.
“The initial payload is either an executable downloader disguised as a PDF file or an actual PDF file sent to the victim via email that leads to an executable.”
Although systems infected with RomCom have experienced ransomware deployments previously, the cybersecurity provider noted the absence of such behavior, suggesting that the threat connected to the malware, Tropical Scorpius (also known as Void Rabisu), might have transitioned from solely seeking financial benefits to espionage activities.
About Author
