A year-long phishing campaign has targeted Germany-based automakers, wherein the adversaries had attempted to breach the systems and infect them with password-stealing malware.
The researchers noticed the phishing campaign and quickly published a detailed report on the attacks. The findings showed that the movement started around July last year and is still occurring today.
Moreover, the attack exclusively strikes car dealers and manufacturers in Germany. The threat actors registered several similar domains in their operation and used them to clone genuine sites of numerous targeted organisations.
The fake sites also served as a vector for spreading phishing emails coded in German and packing malicious payloads. The campaign aims to be an industrial espionage attack.
In addition, the threat actors in this phishing campaign have utilised multiple Malware-as-a-Service info stealers. Some of their malware are the BitRAT malware, Racoon Stealer, and AZORult. Other threat actors offer this malware in dark web forums and underground markets.
These phishing attacks have targeted about 14 different German automakers.
Numerous German organisations related to the automobile industry have experienced phishing attacks from malicious threat actors. Unfortunately, cybersecurity researchers did not get any names or hints about what attacks affected companies.
The info stealing payloads are loaded on a site coded as bornagroup[.]ir, registered by an individual from Iran. There is a possibility that an Iranian threat group is the perpetrator of the espionage attacks despite having zero substantial evidence to prove the claim.
The infection process initiates by sending an email to targets. The email includes an ISO disk image file that bypasses several security detections. Researchers also found in the samples that the phishing emails pretended to contain an automobile transfer receipt sent to a targeted car dealer.
The file has also included an [.]HT file that contains a JavaScript coded execution using the HTML smuggling process. The malicious code will start operating in the background to get malware payloads while the target is busy seeing a decoy document.
Threat actors utilise a massive infrastructure to spoof several German automobile companies. Experts recommend that this sector stay wary of these threats.