| Category | Details |
|---|---|
| Threat Actors | Not currently attributed to a specific threat actor. Infrastructure overlaps with suspected UAC-0050 activity but no confirmed relation. |
| Campaign Overview | Activity targeting North American transportation and logistics companies using compromised email accounts to inject malware into ongoing email threads. |
| Target Regions (Victims) | North America; specifically transportation and logistics industries. |
| Methodology | - Compromised legitimate email accounts. - Injecting malicious links/files into existing email threads. - Utilizing Google Drive URLs, .URL files, and “ClickFix” techniques with Base64-encoded PowerShell scripts. |
| Product Targeted | Logistics and fleet management software (e.g., Samsara, AMB Logistic, Astra TMS). |
| Malware Reference | Lumma Stealer, StealC, NetSupport, DanaBot, Arechclient2. |
| Tools Used | - Google Drive for URL hosting. - SMB protocol for malware execution. - “ClickFix” technique for malware delivery via PowerShell scripts. |
| Vulnerabilities Exploited | Not specified. |
| TTPs | - Social engineering (compromised email accounts). - Malicious content injection into legitimate email threads. - Use of commodity malware payloads. |
| Attribution | Moderately assessed as financially motivated cybercriminals leveraging third-party infrastructure. |
| Recommendations | - Verify emails from known senders if content seems unusual. - Be cautious of email links and attachments (.URL files, Google Drive links). - Educate users on detecting suspicious emails. |
| Source | Proofpoint |
Read full article: https://www.proofpoint.com/us/blog/threat-insight/security-brief-actor-uses-compromised-accounts-customized-social-engineering
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply