Financially motivated threat actors are targeting North American companies in the transportation and logistics sector with tailored lures, info-stealing malware, and a clever new trick.
How the attack unfolds
According to Proofpoint threat researchers, the attackers start by compromising email accounts of workers in transportation and shipping companies and then responding to existing email conversations within the account’s inbox.
The emails are usually short, and initially urged recipients to follow a link to / download an attached internet shortcut (.URL) file that, once executed, would download malware from a remote share.
But since August 2024, the attackers have also begun using a new(-ish) trick, leading users to pages that would instruct them to perform actions that would make them unknowingly copy, paste, and run a Base64 encoded PowerShell script.
The technique, which Proofpoint dubbed “ClickFix” due to the pretext used in this and previous campaigns, has recently also been used against targets via fake human verification pages. The goal is to make the user run a script that will download and run malware.
In this campaign, the pretext is that the target’s browser cannot correctly display the document they want to see. The malicious page and alert exploits the good name of spacialized software used in transport and fleet operations management: Samsara, AMB Logistic, and Astra TMS.
Attackers impersonating Samsara (Source: Proofpoint)
Limited malware delivery campaigns targeting transportation and logistics orgs
Proofpoint researchers don’t know how the initial compromise of the email accounts happens.
“The specific targeting and compromises of organizations within transportation and logistics, as well as the use of lures that impersonate software specifically designed for freight operations and fleet management, indicates that the actor likely conducts research into the targeted company’s operations before sending campaigns. The language used in the lures and content also indicate familiarity with typical business workflows,” they shared.
“This activity aligns with a trend [we] have observed across the cybercriminal threat landscape. Threat actors are developing more sophisticated social engineering and initial access techniques across the delivery attack chain while relying more on commodity malware rather than complex and unique malware payloads.”
In these limited campaigns, the delivered malware included info-stealers (Lumma Stealer, StealC, ArechClient2, DanaBot) and remote control software (NetSupport).
The researchers are urging all users to be careful with emails coming from known senders which deviate from normal activity or content, particularly when combined with unusual looking links and file types. “When encountering such activity users should contact the sender using another means to confirm their authenticity,” they advised.