German automakers targeted in year-long malware campaign

Car manufacturer

A years-long phishing campaign has targeted German companies in the automotive industry, attempting to infect their systems with password-stealing malware.

The targets include both car manufacturers and car dealerships in Germany, and the threat actors have registered multiple lookalike domains for use in their operation by cloning legitimate sites of various organizations in that sector.

These sites are used to send phishing emails written in German and host the malware payloads downloaded to targeted systems.

Various lookalike domains used in this campaign
Various lookalike domains used in this campaign (Check Point)

Researchers at Check Point discovered this campaign and published a technical report where they presented the details of their findings. According to the report, the campaign started around July 2021 and is still ongoing.

Targeting the German auto industry

The infection chain begins with an email sent to specific targets containing an ISO disk image file that bypasses many internet security controls.

For example, the phishing email below pretends to contain an automobile transfer receipt sent to what appears to be a targeted dealership.

Samples of malicious emails seen by Check Point
One of the malicious emails seen by Check Point

This archive, in turn, contains an .HTA file that contains JavaScript or VBScript code execution via HTML smuggling.

Generic infection chain
Generic infection chain (Check Point)

This is a common technique used by hackers of all skill tiers, from “script kiddies” that rely on automated kits to state-sponsored actors that deploy custom backdoors.

While the victim sees a decoy document that is opened by the HTA file, malicious code is executed in the background to fetch the malware payloads and launch them.

Decoy document
Decoy document (Check Point)

“We found several versions of these scripts, some triggering PowerShell code, some obfuscated, and others in plain text. All of them download and execute various MaaS (Malware as a Service) info-stealers.” – Check Point.

The MaaS info-stealers used in this campaign vary, including Raccoon Stealer, AZORult, and BitRAT. All three are available for purchase in cybercrime markets and darknet forums.

In later versions of the HTA file, PowerShell code runs to change registry values and enable content on the Microsoft Office…