Transportation and logistics firms in North America are facing a new phishing campaign aimed at deploying various information stealers and remote access trojans (RATs). According to Proofpoint, this activity utilizes compromised legitimate email accounts from transportation and shipping companies to inject malicious content into ongoing email conversations.
So far, approximately 15 breached email accounts have been linked to the campaign. However, the methods of infiltration and the identities of the attackers remain unclear.
From May to July 2024, the campaign primarily distributed Lumma Stealer, StealC, and NetSupport, as noted in Proofpoint’s analysis published on Tuesday. In August 2024, the threat actors altered their tactics by employing new infrastructure, delivery methods, and additional payloads, including DanaBot and Arechclient2.
The attack chains typically involve sending messages with internet shortcut (.URL) attachments or Google Drive links that lead to .URL files. When launched, these files use Server Message Block (SMB) to retrieve the next-stage payload containing the malware from a remote share.
Some variants of the campaign observed in August 2024 have also adopted a technique called ClickFix, tricking victims into downloading DanaBot malware under the guise of fixing a document display issue in their web browser. This method encourages users to copy and paste a Base64-encoded PowerShell script into their terminal, which triggers the infection process.
The campaigns have impersonated companies like Samsara, AMB Logistic, and Astra TMS—software commonly used in transport and fleet operations management. This specific targeting and the use of lures that mimic freight operations and fleet management software suggest that the attackers likely conduct thorough research on their targeted companies before launching their campaigns.
The disclosure coincides with the rise of various stealer malware strains, including Angry Stealer, BLX Stealer (also known as XLABB Stealer), Emansrepo Stealer, Gomorrah Stealer, Luxy, Poseidon, PowerShell Keylogger, QWERTY Stealer, Taliban Stealer, X-FILES Stealer, and a CryptBot-related variant called Yet Another Silly Stealer (YASS).
Additionally, a new version of the RomCom RAT, known as SnipBot and a successor to PEAPOD (RomCom 4.0), has emerged, distributed through fraudulent links embedded in phishing emails. As highlighted by Ukraine's Computer Emergency Response Team (CERT-UA) in July 2024, SnipBot enables attackers to execute commands and download additional modules onto a victim's system. The initial payload is often an executable disguised as a PDF file or a legitimate PDF that leads to an executable download.
This latest version features an extensive set of 27 commands, allowing operators to enumerate directory paths, run commands via cmd.exe, upload and download files, list running processes, set up a SOCKS proxy, and create archives using 7-Zip.
While past infections with RomCom have involved ransomware deployments, the absence of such behavior in recent instances suggests that the threat actor behind the malware, known as Tropical Scorpius (also referred to as Void Rabisu), may be shifting from a focus on financial gain to espionage.