German Automakers Targeted in Year-Long Malware Campaign
A years-long phishing campaign has targeted German companies in the automotive industry, attempting to infect their systems with password-stealing malware.
The targets include both car manufacturers and car dealerships in Germany, and the threat actors have registered multiple lookalike domains for use in their operation by cloning legitimate sites of various organizations in that sector.
These sites are used to send phishing emails written in German and host the malware payloads downloaded to targeted systems.
Researchers at Check Point discovered this campaign and published a technical report where they presented the details of their findings. According to the report, the campaign started around July 2021 and is still ongoing.
Targeting the German auto industry
The infection chain begins with an email sent to specific targets containing an ISO disk image file that bypasses many internet security controls.
For example, the phishing email below pretends to contain an automobile transfer receipt sent to what appears to be a targeted dealership.
While the victim sees a decoy document that is opened by the HTA file, malicious code is executed in the background to fetch the malware payloads and launch them.
“We found several versions of these scripts, some triggering PowerShell code, some obfuscated, and others in plain text. All of them download and execute various MaaS (Malware as a Service) info-stealers.” – Check Point.
The MaaS info-stealers used in this campaign vary, including Raccoon Stealer, AZORult, and BitRAT. All three are available for purchase in cybercrime markets and darknet forums.
In later versions of the HTA file, PowerShell code runs to change registry values and enable content on the Microsoft Office suite. This makes it unnecessary for the threat actors to trick the recipient into enabling macros and improves their payload drop rate.
Targets and attribution
Check Point says they could trace these attacks to 14 targeted entities, all German organizations that had some connection to the auto-making industry. However, no specific company names are mentioned in the report.
The information-stealing payloads were hosted on a site (“bornagroup[.]ir”) registered by an Iranian persona, while the same email was used for the phishing subdomains, like “groupschumecher[.]com”.
The threat analysts were able to find links to a different phishing operation targeting customers of the Santander Bank, with sites supporting that campaign hosted on an Iranian ISP.
In summary, there’s a good chance that Iranian threat actors orchestrate the campaign, but Check Point doesn’t have enough evidence for attribution.
Finally, regarding the goals of the campaign, it’s most likely industrial espionage or BEC (business email compromise), directed against these firms or their clients, suppliers, and contractors.
The emails sent to the targets leave plenty of margin for correspondence, so building a rapport with the victim and gaining their trust is a likely scenario that gives credibility to the BEC hypothesis.