Cybercriminals target transportation companies in North America with info-stealing malware

Researchers have observed a new campaign targeting shipping companies in North America, delivering a variety of malware strains.

Cybersecurity firm Proofpoint has been tracking the activity since late May, and said they could not attribute it to a specific threat actor but determined the group is likely financially motivated. To gain access to their victims, the hackers use compromised legitimate email accounts belonging to transportation and shipping companies, sending malicious links and attachments within existing email conversations.

The malware delivered through these attacks includes Lumma Stealer, StealC, DanaBot and Arechclient2 — all designed to steal information from the victims’ devices.

Proofpoint identified at least 15 compromised email accounts used in the campaign, but it remains unclear how the hackers gained access to those accounts.

In some attacks, the hackers also impersonated legitimate software used exclusively in transport and fleet operations management, including Samsara, AMB Logistic and Astra TMS.

Researchers have not named the specific victims affected by the attacks but stated that they include a small number of customers in the transportation and logistics industries in North America.

“Threat actors are increasingly tailoring lures to be more realistic to entice recipients to click on a link or download attachments,” researchers said.

The specific targeting and compromise of organizations within transportation and logistics, as well as the use of lures impersonating industry-specific software, indicate that the actors likely conduct research into the targeted company’s operations before launching their campaigns, according to the report.

The language used in the lures and content also suggests familiarity with typical business workflows, researchers added.