German automakers targeted by year-long malware campaign


A years-long phishing campaign has targeted German auto companies, attempting to infect their systems with password-stealing malware.

The targets include both car manufacturers and car dealerships in Germany, and the threat actors have registered several similar domains to use in their operation by cloning the legitimate sites of various organizations in this industry.

These sites are used to send phishing emails written in German and host the downloaded malware payloads on the targeted systems.

Various similar domains used in this campaign
Various similar domains used in this campaign (checkpoint)

Check Point researchers discovered this campaign and published a technical report in which they presented the details of their findings. According to the report, the campaign started around July 2021 and is still ongoing.

Targeting the German automotive industry

The chain of infection begins with an email sent to specific targets containing an ISO disk image file that bypasses many internet security controls.

For example, the phishing email below claims to contain an automobile transfer receipt sent to what appears to be a targeted dealership.

Examples of malicious emails seen by Check Point
One of the malicious emails seen by Check Point

This archive, in turn, contains an .HTA file that contains the execution of JavaScript or VBScript code through HTML smuggling.

Generic infection chain
Generic infection chain (checkpoint)

It’s a common technique used by hackers of all skill levels, from “script kiddies” who rely on automated kits to state-sponsored actors who deploy custom backdoors.

While the victim sees a decoy document opened by the HTA file, malicious code is executed in the background to fetch the malware payloads and launch them.

Decoy document
Decoy document (checkpoint)

“We found multiple versions of these scripts, some triggering PowerShell code, some cloaked, and some plain text. All download and execute various MaaS (Malware as a Service) information stealers.” – Checkpoint.

The MaaS infostealers used in this campaign vary, including Raccoon Stealer, AZORult, and BitRAT. All three are available for purchase on cybercrime marketplaces and darknet forums.

In later versions of the HTA file, PowerShell code runs to modify registry values ​​and activate Microsoft Office suite content. This makes it unnecessary for threat actors to trick the recipient into enabling macros and improves their payload loss rate.

Malicious modification of the Windows Registry
Malicious modification of the Windows Registry (checkpoint)

Targets and attribution

Check Point claims to be able to trace these attacks back to 14 targeted entities, all German organizations with a connection to the automotive industry. However, no specific company name is mentioned in the report.

The information-stealing payloads were hosted on a site (“bornagroup[.]ir”) registered by an Iranian character, while the same email was used for phishing subdomains, such as “groupschumecher[.]com”.

Threat analysts were able to find links to another phishing operation targeting Santander bank customers, with sites supporting this campaign hosted on an Iranian ISP.

Threat actor infrastructure
Threat actor infrastructure (checkpoint)

In summary, there is a strong chance that Iranian threat actors are orchestrating the campaign, but Check Point does not have enough evidence to attribute it.

Finally, with regard to the objectives of the campaign, it is most likely industrial espionage or BEC (business email compromise), directed against these companies or their customers, suppliers and subcontractors.

Emails sent to targets leave a lot of room for matching, so establishing a rapport with the victim and gaining their trust is a likely scenario that lends credence to the BEC hypothesis.


About Author

Comments are closed.