A years-long phishing campaign has targeted German auto companies, attempting to infect their systems with password-stealing malware.
The targets include both car manufacturers and car dealerships in Germany, and the threat actors have registered several similar domains to use in their operation by cloning the legitimate sites of various organizations in this industry.
These sites are used to send phishing emails written in German and host the downloaded malware payloads on the targeted systems.
Check Point researchers discovered this campaign and published a technical report in which they presented the details of their findings. According to the report, the campaign started around July 2021 and is still ongoing.
Targeting the German automotive industry
The chain of infection begins with an email sent to specific targets containing an ISO disk image file that bypasses many internet security controls.
For example, the phishing email below claims to contain an automobile transfer receipt sent to what appears to be a targeted dealership.
It’s a common technique used by hackers of all skill levels, from “script kiddies” who rely on automated kits to state-sponsored actors who deploy custom backdoors.
While the victim sees a decoy document opened by the HTA file, malicious code is executed in the background to fetch the malware payloads and launch them.
The MaaS infostealers used in this campaign vary, including Raccoon Stealer, AZORult, and BitRAT. All three are available for purchase on cybercrime marketplaces and darknet forums.
In later versions of the HTA file, PowerShell code runs to modify registry values and activate Microsoft Office suite content. This makes it unnecessary for threat actors to trick the recipient into enabling macros and improves their payload loss rate.
Targets and attribution
Check Point claims to be able to trace these attacks back to 14 targeted entities, all German organizations with a connection to the automotive industry. However, no specific company name is mentioned in the report.
The information-stealing payloads were hosted on a site (“bornagroup[.]ir”) registered by an Iranian character, while the same email was used for phishing subdomains, such as “groupschumecher[.]com”.
Threat analysts were able to find links to another phishing operation targeting Santander bank customers, with sites supporting this campaign hosted on an Iranian ISP.
In summary, there is a strong chance that Iranian threat actors are orchestrating the campaign, but Check Point does not have enough evidence to attribute it.
Finally, with regard to the objectives of the campaign, it is most likely industrial espionage or BEC (business email compromise), directed against these companies or their customers, suppliers and subcontractors.
Emails sent to targets leave a lot of room for matching, so establishing a rapport with the victim and gaining their trust is a likely scenario that lends credence to the BEC hypothesis.