Small and medium companies in the European automobile sector have been targeted by cybercriminals using a relatively new piece of malware, according to a recent report.
Symantec, which revealed the existence of the campaign last week, noticed the attacks on August 3. In the following days, the attackers had sent malicious emails purporting to come from a German company called Technik Automobile GMBH (which doesn’t really exist) to businesses in the automotive aftermarket, and various firms that provide rental services, car insurance, and commercial transport services.
The emails sent out by the attackers instruct recipients to send a list of “used and pre-owned vehicles urgently.” They also point to an attached file that allegedly contains a list of urgently required vehicles. The attached file (TechnikAutomobileGMBH.pdf.zip) is actually a variant of Carbon Grabber, which Symantec detects as Infostealer.Retgate.
Carbon Grabber, which emerged on hacker forums earlier this year, is designed to capture usernames and passwords from webpages in Chrome, Firefox and Internet Explorer. In July, someone claiming to be the original developed of the crimeware kit claimed the individual who sold Carbon Grabber up to that point was extradited. However, he announced that the project would not be discontinued.
In the campaign monitored by Symantec, the malicious file is designed to decrypt a different executable file from its body and inject code into the processes of Web browsers and Microsoft Outlook.
“The malware hooks the browser APIs, allowing it to steal information before it is encrypted and sent out to the network. Stolen information may include the user name and password for Outlook and information entered by the user when using a website to log into services such as online banking or internal Web applications for example. The stolen information is then sent to the command-and-control server,” Symantec’s Lionel Payet explained in a blog post.
The campaign mainly targets companies located in Germany (38%), the Netherlands (31%), Italy (24%) and the United Kingdom (7%). While 48% of the victims are part of the automobile industry, companies in sectors like public services, charity, financial, energy, research, housing telecom and tourism have also been targeted.
The attackers are sending the malicious emails to the customer service departments of the targeted companies, most likely because these departments have a high level of access within the organization’s network in order to carry out administrative and financial tasks.
“It is yet to be confirmed if the criminals behind the Technik Automobile spam campaign are purely financially motivated. One thing we know for sure is that if the attack is successful, the cybercriminals will have a foothold in the victim’s business,” Payet said.
It’s not surprising that companies in the automotive industry are increasingly targeted, considering that it’s a rich sector. However, corporate networks are not the only element that needs to be protected against cyberattacks. Recently, numerous security researchers have warned that the computer systems powering modern cars can be hacked. Earlier this month, a group of researchers even sent a letter to the CEOs of car manufacturers, asking them to incorporate cybersecurity safeguards into their products.