The aim of the phishing attacks, which have been running since July 2021, according to the report, is to infect victims' systems with malware that steals passwords. According to the findings of Check Point's security researchers, the automotive industry is affected, including both car manufacturers and suppliers as well as car dealerships. ( HERE )

German cars very popular

Despite all the scandals of recent years, German cars are still popular worldwide. Added to this are the rising prices for used cars, since slow supply chains and scarce raw materials have become noticeable in the delivery times for new cars in the automotive industry.

Sophisticated phishing campaign

For their phishing campaign, the criminals recreated various websites of real companies through which they sent their phishing emails. Additionally, the malware payload is hosted there and is intended to be unknowingly downloaded by victims. At the beginning of the attack, the victim receives an email containing an ISO disk image file, which contains the memory image of the file system of a CD or DVD, structured in a specific format and, in turn, contains an .HTA file that allows the execution of JavaScript or VBScript code via HTML smuggling.

Be careful with emails

As an example, the security researchers show an email that claims to contain a signed contract for a car delivery. At the same time, you are asked to confirm receipt and send other documents such as vehicle documents and MOT for the car mentioned. If you open the attachment, another file is opened in the background, which contacts the drop site through which the malware is then smuggled in. The victim himself only sees a document that appears to be exactly what it is supposed to be, in the example a purchase contract for a car.

New variable approach

According to Check Point, when it examined the new approach in more detail, it found multiple versions of these scripts that perform different actions. Some trigger PowerShell code, some are well hidden, and others are visible in plain text. Everyone downloads various malware and spyware, most of which are available as malware as a service on the dark web, including Raccoon Stealer, AZORult and BitRAT. In a later version of the campaign, security researchers also observed PowerShell code being executed that no longer requires the victim to enable macros because the malware makes the appropriate changes in Microsoft Office itself.

Strong evidence of Iranian hacker collective

According to Check Point, at least 14 victims of the campaign are known in Germany, all of whom are connected to the automotive industry. However, no specific names are mentioned. It is not yet possible to say with complete certainty who is behind the attacks, but there is at least an initial suspicion that it is a hacker group from Iran. The malware payloads were hosted on a website that was registered by a persona from Iran. There are also likely links to another phishing campaign that targeted Santander Bank customers and was hosted by an Iranian Internet service provider. This suggests that it is a hacker group from Iran, but definitive proof of this conclusion is still missing.

Targets of attack still unclear

It is also not yet possible to make a final statement about the attackers' goals. It is probably both industrial espionage and a case of business email compromise (BEC) or CEO fraud. This is a scam in which the attackers pose as a manager and trick victims into transferring funds quickly and without control. This is also supported by the fact that the emails sent so far leave room for further contact, which gives the fake CEO additional credibility in such a scam.

You might also be interested in: Attention: “Legitimation of the online banking app”

Source: Pressebox


If you enjoyed this post and value the importance of well-founded information, become part of the exclusive Mimikama Club! Support our work and help us promote awareness and combat misinformation. As a club member you receive:

📬 Special Weekly Newsletter: Get exclusive content straight to your inbox.
🎥 Exclusive video* “Fact Checker Basic Course”: Learn from Andre Wolf how to recognize and combat misinformation.
📅 Early access to in-depth articles and fact checks: always be one step ahead.
📄 Bonus articles, just for you: Discover content you won't find anywhere else.
📝 Participation in webinars and workshops : Join us live or watch the recordings.
✔️ Quality exchange: Discuss safely in our comment function without trolls and bots.

Join us and become part of a community that stands for truth and clarity. Together we can make the world a little better!

* In this special course, Andre Wolf will teach you how to recognize and effectively combat misinformation. After completing the video, you have the opportunity to join our research team and actively participate in the education - an opportunity that is exclusively reserved for our club members!


Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )