Introduction:
It started with a seemingly benign email, dealing with the purchase of a car, and resulted in a reveal of a months’ lengthy marketing campaign focusing on German organizations. Most of the targets are associated to the German auto-industry sector and the assaults have been designed to deploy varied types of info-stealing malware. The menace actors behind the operation registered multiple lookalike domains, all imitating current German auto companies that they later used to ship phishing emails and to host the malware infrastructure.

In the following publication, we evaluate the small print of this operation, from the initial infrastructure preparations, through the completely different infection-chain levels, to the main points of the final payloads.

Key findings:
* Dedicated marketing campaign focusing on German companies with a concentrate on German car dealerships and manufacturers.
* Extensive infrastructure designed to look like present German car dealerships and manufacturers.
* Emails with receipts and contracts in German, designed to instill confidence and lure recipients have been despatched to fastidiously selected targets.
* The primary malware internet hosting website is an Iranian hosted non-governmental web site with a double connection to the marketing campaign.

Detailed description:
Germans love their cars, goes the cliché, which might have been the inspiration for a malicious e mail received by a German enterprise.

The e mail was designed to look as if it had been sent from a automotive dealership, autohous[.]lips, with the subject line “re: order.” Written in German, the email includes an ISO file attachment labeled as “vehicle bill.” When the recipient double clicked the ISO attachment, a brief warning message appeared, after which the user was required to open an .HTA (HTML Applications) file.

The use of ISO disk picture archives is a known technique used to bypass NTFS Mark-of-the-Web trust management (MOTW). (See MITRE ref. here)
Files extracted from ISO archives are not tagged as MOTW, and due to this fact, even when they are downloaded from the web, no warning is displayed to the consumer.

Figure 3 – Alert pop-up for opening an e mail attachment

Archived in the ISO file is an .HTA file, which is opened by the Mshta.exe utility in Windows OS. It is usually utilized by threat-actors to execute HTML files with embedded JavaScript or VBScript. Even advanced threat teams corresponding to APT29 have been lately reported to use this combination of ISO and HTA information towards European diplomats.

Figure four – Infection chain

The HTA file consists of HTML code to display a purchase order contract in German

Figure 5 – Car purchase contract displayed to victim

While Mshta.exe displays a decoy automobile buy contract, in the background it executes a VBScript code. We found several variations of these scripts, some triggering PowerShell code, some obfuscated and others in plain textual content. All of them obtain and execute varied MaaS (Malware as a Service) info-stealers.

Figure 6 – .HTA file content material

With later variations of the HTA file, PowerShell code is used to vary registry values to enable Office macros and run Outlook attachments and information downloaded from the internet in non-protected mode.

Figure 7 – Deobfuscated PowerShell code for registry setup

Infrastructure
The first e mail we examined was despatched from autohous-lips[.]de. It is a lookalike domain which was registered and resolved shortly earlier than it was used to send the e-mail. Another email which carried a similar .ISO archive was despatched from fiat-amenn[.]de.
Both email handle impersonate present car-related companies in Germany.
Mapping the domains to their hosting server IP addresses, we encountered more than 30 other domains, all registered in recent months, all of whom imitate existing German auto-industry associated businesses with a single character variation.

Figure 9 – Mapping of domains to internet hosting servers’ IPs

Using these domains as our place to begin, we tracked more emails on VirusTotal that have been part of this marketing campaign. These further emails have been sent from 6 of the beforehand found

Figure 10 – Impersonated domains and websites and their lookalike domains

domains. In one case, auto-falkanhahn[.]de, the risk actors used this area as a malware-hosting website for his or her last payload. Although the first malicious e mail we tracked dated back to the end of July 2021, most of the emails we found were despatched in three waves:, on the finish of October 2021, the tip of November 2021 and mid-March 2022.

The attackers began registering domains earlier than the assaults and we seen this development continued as we tracked the operation.

Figure 11 – Gradual decision periods of lookalike domains

Dropped payloads
We encountered three methods of hosting the payloads. In the primary wave of emails, the malware-hosting websites used DuckDNS URLs. In one case we discovered a direct URL to one of the lookalike domains. The majority of cases used a single web site hosted in Iran – bornagroup[.]ir.

We encountered a quantity of executables hosted on this site, which frequently modified its location and sort. (See Appendix). The payloads have been MaaS (Malware as a Service) info-stealers: AZORult, BitRAT and Raccoon. All are available for buy in varied markets and groups.

Victimology and attribution
We traced 14 targeted entities. All of the targets are German or associated to German companies, and most of them linked to the auto-industry, starting from automobile dealerships to manufacturers. and the targets we situated complies with these traits.
The id of who’s behind this operation isn’t clear. We found certain connections to Iranian non-state entities but it is unclear whether or not they have been legitimate websites that have been compromised or have a extra substantial connection to this operation.
Bornagroup[.]ir is the primary website used in this marketing campaign to host varied info-stealers. It was registered utilizing the email handle [email protected][.]com by an “Amir Heidari Forooshani.” This persona is related to the marketing campaign from two distinct sources. On one side,

Figure 12 – Hosting web site double relation to German operation

bornagroup[.]ir is used to host numerous info-stealers, and it’s utilized in multiple emails sent from a net of dedicated lookalike domains.
From another aspect, the sub-domain santandbnkplc[.]turbocell[.]ir, registered by the same registrant (Heidari), was utilized in a phishing operation targeting customers of a subsidiary of a Spanish bank in South America (Santander Bank). Another part of this “Santander” marketing campaign is hosted on the identical Iranian ISP. Its domain is registered under a name impersonating another German car entity “Kfz – Sauter GmbH & Co. KG”. This similar entity “Kfz – Sauter GmbH & Co. KG” was used to register a lookalike area, groupschumecher[.]com, which is part of the principle German-Auto marketing campaign. This double connection could imply a more substantial Iranian hyperlink to the marketing campaign.

Top 5 Anti-Phishing Principles
* Inform Employees About Corporate Email Policies : Every group should have anemail security policy, together with anti-phishing principles defining acceptable use of email (and different communications solutions). This coverage should describe acceptable and unacceptable use and how to reply to potential assaults (i.e. reporting suspicious emails to IT and deleting any identified phishing content)
* Review Password Security Best Practices: User credentials are one of the major targets of cybercriminals. If an attacker has an employee’s password, it could be much more troublesome to detect ongoing assaults since they’ll masquerade as a legitimate user. Additionally, workers generally use the same password for a quantity of on-line accounts, which means that a single breached password can grant an attacker entry to a quantity of the employee’s on-line accounts. For this reason, credential theft is a standard target of phishing emails. It is essential to coach workers concerning the menace posed by phishing emails and about password security best practices.
* Deploy an Automated Anti-Phishing Solution:
Despite an organization’s best efforts, employee cybersecurity education will not provide excellent safety in opposition to phishing assaults. These assaults are growing increasingly subtle and may even trick cybersecurity experts in some instances. While phishing education might help to scale back the variety of successful phishing attacks in opposition to the organization, some emails are likely to sneak through. Minimizing the chance of phishing assaults to the organization requires AI-based anti-phishing software program able to identifying and blocking phishing content throughout the entire organization’s communication companies (email, productivity purposes, and so forth.) and platforms (employee workstations,mobile units, and so on.). This comprehensive protection is necessary since phishing content can come over any medium, and workers may be more susceptible to assaults when utilizing mobile devices.

* Educate Employees About Current Phishing Threats: Phishing attacks use human nature to trick folks into doing something that the attacker wants. Common strategies include creating a way of urgency and offering the recipient of the e-mail one thing that they want, which increases the likelihood that the target will take motion without correctly validating the email. By providing information, items, or alternatives related to a current occasion or creating a state of affairs where the recipient believes that one thing has gone wrong (like a pretend bundle supply notification), these emails improve their chance of getting clicks. Phishing strategies and the pretexts utilized by cybercriminals to make their attacks seem sensible change often. Employees ought to be trained on current phishing developments to increase the chance that they can identify and correctly respond to phishing attacks. The organization’s e-mail coverage must be frequently reviewed as part of the organization’s cybersecurity consciousness coaching.

Conclusion
We found a focused assault being aimed toward German companies, primarily automobile sellers. The threat actors are utilizing an unlimited infrastructure designed to imitate present German corporations. The attackers used phishing emails, with a mixture of ISO\HTA payloads that, if opened, would infect victims with varied data stealing malware.
We do not have conclusive proof of the attackers’ motivation, however we believe it was greater than simply harvesting credit card details or private info. We have proof that this is an ongoing campaign that has been carried out since at least July 2021 (or presumably even earlier, since March). It could additionally be related to industrial espionage or business fraud, but more information is required to establish the attackers’ precise motivation.
The targets are fastidiously chosen and the finest way the phishing emails were sent would allow correspondence between the victims and attackers. One possibility is that the attackers had been making an attempt to compromise car dealerships and use their infrastructure and information to gain access to secondary targets like bigger suppliers and producers. That could be helpful for BEC (Business, Email Compromise) frauds or industrial espionage.
The social engineering attracted our attention, like how the risk actors selected the businesses to impersonate, additionally the phrasing of the emails and the connected documents. This sort of assault is all about convincing the recipient of the authenticity of the lure. Gaining entry to a quantity of victims at the identical time offers a major advantage to the attacker.

Check Point customers are protected against this attack.

Appendix – IoC

Domains:

1.autohous-lips[.]de2.fiat-amenn[.]de3.autohuas-hesse[.]de4.fa-automobilie[.]de5.yereto[.]de6.bundauto[.]com7.car-place-rhienland[.]de8.autozantrum-cloppenburg[.]de9.cramer-schmits[.]de10.kfzrieter[.]de11.weissner-tuning[.]de12.autohaus-buschgbr[.]de13.auto-viotel[.]de14.lm-classiccars[.]de15.auto-centers[.]eu16.autohuas-e-c[.]de17.groupschumecher[.]com18.caravan-spezialistan[.]de19.ostgotahusbilsuthynring[.]de20.eh-loc[.]de21.autohaus-landharr[.]de22.atlasautomobiles[.]de23.skode-auto[.]de24.autohause-meissner[.]de25.auto-kerl-gmbh[.]de26.autohausnords[.]com27.sueverkreup[.]de28.asa-automobilie[.]com29.autohaus-schreoter[.]info30.autoland-ls[.]de31.carnextauction[.]com32.timachinary[.]nl33.rommacaravanservice[.]nl34.carnextauction[.]com35.stopke-essen[.]de36.globel-auto[.]de37.auto-falkanhahn[.]de38.bornagroup[.]ir39.Turbocell[.]irHashes

File nameHasha-p.exe328a984d512e3083df9d93b427b6967caz.exe10aa6a55a4f15064eb4a88278c41adbfa.exe f33c2dfe37ffdb2d91f8e1d.exef52e56a246eed27f5aadb3260af1c340s.exe9e342a138b0c75165b98fb21f2f8db3dd-clouded.exe27429d579a6cbe009e08c2c61ede96eft.exea3ae5849d97598b908935a7d02757b4ba.exe43d590ddfe558c1c103b2f2c6cc18d87