Check Point finds that info-stealing malware targets German car dealerships, auto manufacturers

Researchers from Check Point Software have detected a dedicated info-stealing malware campaign, which is said to have attacked 14 German car companies, ranging from car dealerships to manufacturers in a months-long campaign. The hackers behind the operation also registered multiple lookalike domains, imitating existing German auto businesses that they later used to send phishing emails and hosted the malware infrastructure.

The hackers used emails with receipts and contracts in German, designed to instill confidence and lure recipients to be sent to carefully selected targets, Check Point said in its blog post. “The main malware hosting site is an Iranian hosted non-governmental website with a double connection to the campaign,” they added.

Social ​​engineering tactics adopted by the hackers gained the attention of the Check Point researchers, like how the threat actors selected the businesses to impersonate, apart from the phrasing of the emails and the attached documents. “This type of attack is all about convincing the recipient of the authenticity of the lure. Gaining access to several victims at the same time gives a significant advantage to the attacker,” they added.

Check Point has evidence that this is an ongoing campaign that has been conducted since at least July 2021 or possibly even earlier, since March. Additionally, the researchers said that it may be related to industrial espionage or business fraud, but more information is required to establish the attackers’ exact motivation. The targets are carefully selected and the way the phishing emails were sent would allow correspondence between the victims and attackers. 

“One possibility is that the attackers were trying to compromise car dealerships and use their infrastructure and data to gain access to secondary targets like larger suppliers and manufacturers,” Check Point said. That would be useful for BEC (Business, Email Compromise) frauds or industrial espionage, it added.

Check Point said that the identity of who is behind this operation is not clear. “We found certain connections to Iranian non-state entities but it is unclear whether they were legitimate sites that were compromised or have a more substantial connection to this operation. Bornagroup[.]ir is the main site used in this campaign to host various info-stealers. It was registered using the email address amir_h_22@yahoo[.]com by an ‘Amir Heidari Forooshani.’ This persona is connected to the campaign from two distinct sources,” the researchers added. 

On one side, bornagroup[.]ir is used to host various info-stealers, and it is used in multiple emails sent from a net of dedicated lookalike domains, according to the researchers. On another side, the sub-domain santandbnkplc[.]turbocell[.]ir, registered by the same registrant (Heidari), was used in a phishing operation targeting customers of a subsidiary of a Spanish bank in South America (Santander Bank), they added. 

Another part of this ‘Santander’ campaign is hosted on the same Iranian ISP, according to Check Point. “Its domain is registered under a name impersonating another German vehicle entity ‘Kfz – Sauter GmbH & Co. KG.’ This same entity ‘Kfz – Sauter GmbH & Co. KG’ was used to register a lookalike domain, groupschumecher[.]com, which is part of the main German-Auto campaign. This double connection may imply a more substantial Iranian link to the campaign, the researchers added.

Check Point also encountered three methods of hosting the payloads. “In the first wave of emails, the malware-hosting sites used DuckDNS URLs. In one case we found a direct URL to one of the lookalike domains. The majority of cases used a single website hosted in Iran – bornagroup[.]ir,” they said.

“We encountered several executables hosted on this site, which frequently changed its location and type,” according to the researchers. “The payloads were MaaS (Malware as a Service) info-stealers: AZORult, BitRAT, and Raccoon. All are available for purchase in various markets and groups,” they added.

In March, industrial cybersecurity firm Dragos identified consistent network communication between Emotet Command and Control (C2) servers and numerous automotive manufacturing companies. The Emotet servers are suspected to be controlled by the Conti ransomware group and have been recognized as a malware strain and a cybercrime operation, which has precipitated ransomware events in the past.

Japanese automaker Toyota discontinued operations in March at its domestic plants for a day, following ‘system failure’ at one of its domestic suppliers brought about by a suspected cyberattack. At present, there are no known reports of disruption to Toyota operations and production units. However, given the nature of supply chain attacks, it cannot be ruled out that Toyota is not being targeted.

The U.S. cybersecurity agencies updated in April their earlier advisory to include additional Indicators of Compromise (IOCs) for WhisperGate and provided technical details for HermeticWiper, IsaacWiper, HermeticWizard, and CaddyWiper destructive malware. Since January, these threat vectors have been deployed against organizations in Ukraine to destroy computer systems and render them inoperable.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.