German car manufacturers targeted by a years-long malware campaign


A year-long phishing campaign targets German automotive companies and attempts to infect their systems with password-stealing malware.

Targets include both car manufacturers and car dealerships in Germany, and the attackers have registered multiple lookalike domains for use in their operations by cloning legitimate websites from various organizations in the sector.

These sites are used to send German-language phishing emails and host the malware payloads that are downloaded onto targeted systems.

Various lookalike domains used in this campaign
Various lookalike domains used in this campaign (Checkpoint)

Check Point researchers discovered this campaign and published a technical report presenting the details of their findings. According to the report, the campaign began around July 2021 and is still ongoing.

The target is the German car industry

The chain of infection begins with an email sent to specific destinations containing an ISO disk image file that bypasses many Internet security controls.

For example, the phishing email below pretends to contain a receipt for a car pickup that was sent to what appeared to be a targeted dealership.

Examples of malicious emails seen by Check Point
One of the malicious emails detected by Check Point

This archive, in turn, contains an .HTA file that contains execution of JavaScript or VBScript code via HTML smuggling.

Generic chain of infection
Generic chain of infection (Checkpoint)

This is a common technique used by hackers of all skill levels, from “script kiddies” who rely on automated kits to state-sponsored actors employing custom backdoors.

While the victim sees a decoy document opened by the HTA file, malicious code executes in the background to retrieve and launch the malware payloads.

decoy document
decoy document (Checkpoint)

“We found multiple versions of these scripts, some triggering PowerShell code, some obfuscated, and others in plaintext. All download and run various MaaS (Malware as a Service) info thieves.” – checkpoint.

The MaaS infostealers used in this campaign vary, including Raccoon Stealer, AZORult, and BitRAT. All three are available on cybercrime markets and dark web forums.

Later versions of the HTA file run PowerShell code to change registry values ​​and enable content in the Microsoft Office suite. This makes it unnecessary for the threat actors to trick the receiver into enabling macros and improves their payload drop rate.

Malicious modification of the Windows registry
Malicious modification of the Windows registry (Checkpoint)

Goals and Assignment

Check Point says they traced these attacks to 14 targeted entities, all German organizations that had some connection to the auto industry. However, no specific company names are mentioned in the report.

The information-stealing payloads were distributed on a website (“bornagroup[.]ir”) registered by an Iranian persona, while the same email address for the phishing subdomains like “groupschumecher[.]com”.

Threat analysts were able to find links to another phishing operation targeting Santander Bank customers, with websites supporting this campaign hosted on an Iranian ISP.

Threat actor infrastructure
Threat actor infrastructure (Checkpoint)

In conclusion, there’s a good chance Iranian threat actors are orchestrating the campaign, but Check Point doesn’t have enough evidence to attribution.

Finally, as far as the goals of the campaign are concerned, it is most likely industrial espionage or BEC (Business Email Compromise) directed against these companies or their customers, suppliers and contractors.

The emails sent to the victims leave plenty of room for correspondence, so building a relationship with the victim and gaining their trust is a likely scenario that lends credence to the BEC hypothesis.


About Author

Comments are closed.