Malware Campaign Targets At Least 14 German Automakers

A year-long campaign

• The targets of the campaign include car manufacturers and dealers in Germany.
• The attackers registered various lookalike domains (called domain squatting) to use in their operation by cloning genuine sites of multiple organizations.
• The fake sites are used to spread phishing emails written in German and host malicious payloads. The goals of the campaign seem to be industrial espionage or BE) attacks.
• Several MaaS info-stealers have been used in this campaign, including AZORult, BitRAT, and Raccoon Stealer. All three malware are available for purchase in darknet forums and cybercrime markets.

More information

• These attacks are traced back to 14 targeted entities, all German organizations that had some connection to the auto-making industry. However, no specific name of any company is mentioned.
• The information-stealing payloads are hosted on a site ("bornagroup[.]ir"), registered by an Iranian individual.
• There is a high chance that Iranian threat actors are orchestrating the campaign, however, there is not enough evidence according to researchers.

Infection process

• As found in the samples, a phishing email pretended to contain an automobile transfer receipt sent to a targeted car dealer.
• This archive has an ‘.HTA’ file that includes JavaScript or VBScript code execution using HTML smuggling.
• While the victim sees a decoy document, malicious code is running in the background to get malware payloads and execute them.

Conclusion