Actor Uses Compromised Accounts, Customized Social Engineering to Target Transport and Logistics Firms with Malware

    Thursday, September 26, 2024 In: Threat Research Print

    Date: 09/26/2024

    Severity: High

    Summary

    Proofpoint researchers are monitoring a series of activities aimed at transportation and logistics companies in North America, focusing on delivering various malware payloads.Significantly, this activity exploits compromised legitimate email accounts from transportation and shipping firms. Currently, it’s unclear how the actor gains access to these accounts. The actor injects malicious content into ongoing conversations in the inbox, making the messages appear legitimate. Proofpoint has identified at least 15 compromised email accounts involved in these campaigns.

    Indicators of Compromise (IOC) List

    Domains\URLs

    http://89.23.98.98/file/14242.exe 

    http://89.23.98.98/file/ratecon.exe 

    http://89.23.98.98/file/rate_confirmation.vbs 

    http://89.23.98.98/file/Rateconfirm.exe 

    http://89.23.98.98/file/carrier.exe 

    http://185.217.197.84/file/remittance.exe 

    http://185.217.197.84/file/information_package.exe 

    https://live-samsaratrucking.com/true-tracking-32934.html 

    http://ambcrrm.com/ 

    https://ambccm.com/Astra/index.html 

    https://idessit.com/fn.msi 

    https://ambccm.com/3.msi 

    https://ambcrrm.com/3.msi 

    Hash

    199d6f70f10c259ee09e99e6f1d7f127426999a0ed20536f2662842cd12b5431 

ac49ff207e319f79bbd9c80d044d621920d1340f4c53e5e4da39b2a0c758634e 

e7526dadae6b589b6a31f1f7e2e528ed1c9edd9f3d1ca88f0ece0dee349d3842 

e5ed1a273faf5174dbd8db9d6d3657b81dc2cbc2e0af28cfe76f41c3d2f2fc37 

f8b12e6d02ea5914e01f95b5665b3a735acfbb9ee6ae27b004af37547bc11e7f 

0931217eb498b677e2558fd30d92169cc824914c2df68cfbcff4f642600e2cc2 

582c69b52d68b513f2a137bbf14704df7d787b06752333fc31066669cd663d04 

957fe77d04e04ff69fdaff8ef60ac0de24c9eb5e6186b3187460eac6be561f5d 

2436fe37d25712b68b2e1a9805825bcf5073efb91588c1b5193ba446d1edd319 

8fe96fb9d820db0072fe0423c13d2d05f81a9cf0fdd6f4e2ee78dc4ca1d37618 

cdf160c63f61ae834670fdaf040411511dc2fc0246292603e7aa8cd742d78013 

d45b6b04ac18ef566ac0ecdaf6a1f73d1c3164a845b83e0899c66c608154b93d 

fddacfe9e490250e62f7f30b944fcbe122e87547d01c4a906401049304c395f7 

163dccdcaa7fdde864573f2aabe0b9cb3fdcdc6785f422f5c2ee71ae6c0e413a 

37f328fc723b2ddf0e7a20b57257cdb29fe9286cb4ffeaac9253cb3b86520235 

1a002631b9b2e685aeb51e8b6f4409daf9bc0159cfd54ef9ad3ba69d651ac2a3 

b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs : 

    userdomainname like "http://89.23.98.98/file/14242.exe" or url like "http://89.23.98.98/file/14242.exe" or userdomainname like "http://185.217.197.84/file/remittance.exe" or url like "http://185.217.197.84/file/remittance.exe" or userdomainname like "https://idessit.com/fn.msi" or url like "https://idessit.com/fn.msi" or userdomainname like "https://ambcrrm.com/3.msi" or url like "https://ambcrrm.com/3.msi" or userdomainname like "http://89.23.98.98/file/ratecon.exe" or url like "http://89.23.98.98/file/ratecon.exe" or userdomainname like "http://185.217.197.84/file/information_package.exe" or url like "http://185.217.197.84/file/information_package.exe" or userdomainname like "https://live-samsaratrucking.com/true-tracking-32934.html" or url like "https://live-samsaratrucking.com/true-tracking-32934.html" or userdomainname like "https://ambccm.com/Astra/index.html" or url like "https://ambccm.com/Astra/index.html" or userdomainname like "http://89.23.98.98/file/carrier.exe" or url like "http://89.23.98.98/file/carrier.exe" or userdomainname like "https://ambccm.com/3.msi" or url like "https://ambccm.com/3.msi" or userdomainname like "http://89.23.98.98/file/rate_confirmation.vbs" or url like "http://89.23.98.98/file/rate_confirmation.vbs" or userdomainname like "http://89.23.98.98/file/Rateconfirm.exe" or url like "http://89.23.98.98/file/Rateconfirm.exe" or userdomainname like "http://ambcrrm.com/" or url like "http://ambcrrm.com/"

    Hash :

    sha256hash IN ("fddacfe9e490250e62f7f30b944fcbe122e87547d01c4a906401049304c395f7","582c69b52d68b513f2a137bbf14704df7d787b06752333fc31066669cd663d04","ac49ff207e319f79bbd9c80d044d621920d1340f4c53e5e4da39b2a0c758634e","199d6f70f10c259ee09e99e6f1d7f127426999a0ed20536f2662842cd12b5431","d45b6b04ac18ef566ac0ecdaf6a1f73d1c3164a845b83e0899c66c608154b93d","e7526dadae6b589b6a31f1f7e2e528ed1c9edd9f3d1ca88f0ece0dee349d3842","37f328fc723b2ddf0e7a20b57257cdb29fe9286cb4ffeaac9253cb3b86520235","b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86","1a002631b9b2e685aeb51e8b6f4409daf9bc0159cfd54ef9ad3ba69d651ac2a3","0931217eb498b677e2558fd30d92169cc824914c2df68cfbcff4f642600e2cc2","e5ed1a273faf5174dbd8db9d6d3657b81dc2cbc2e0af28cfe76f41c3d2f2fc37","f8b12e6d02ea5914e01f95b5665b3a735acfbb9ee6ae27b004af37547bc11e7f","957fe77d04e04ff69fdaff8ef60ac0de24c9eb5e6186b3187460eac6be561f5d","2436fe37d25712b68b2e1a9805825bcf5073efb91588c1b5193ba446d1edd319","8fe96fb9d820db0072fe0423c13d2d05f81a9cf0fdd6f4e2ee78dc4ca1d37618","cdf160c63f61ae834670fdaf040411511dc2fc0246292603e7aa8cd742d78013","163dccdcaa7fdde864573f2aabe0b9cb3fdcdc6785f422f5c2ee71ae6c0e413a")

    Reference:

    https://www.proofpoint.com/us/blog/threat-insight/security-brief-actor-uses-compromised-accounts-customized-social-engineering 


    Tags

    MalwareSocial EngineeringCompromised Accounts

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.