Social Engineering Campaign Targets Auto Dealerships: What You Need to Know

An unknown threat actor suspected to be in Poland has been targeting auto dealerships in a social engineering campaign. Here’s what we know.

How does the campaign work?

The threat actor contacts the auto dealership’s sales team through email communication and provides a malicious link stating they are interested in buying a vehicle. If interacted with, the link downloads a malicious VBScript.

Nuspire was able to obtain a sample of the VBScript and analyze its behavior. If the script is executed, it modifies the victim PC’s browser phishing filter, installs Remcos malware, detects storage devices and attempts to interact with them, likely to execute ransomware

What indicators of compromise (IOCs) were detected?

Indicators of compromise (IOCs) are pieces of data that indicate a potential attack. Here are the specific IOCs for this social engineering campaign:

Domains
mt-auto24[.]com

Hashes
MD5
c302b18cd4508dc3dcfa841946d1234a
SHA1
bbc06884c02a0abb961eb6d6a0419f2c9cbde529
SHA256
46a7411fa913d0e60234afcef86169d54c4cdecf3353485edaea14c6052a5fb0

IP Addresses
185[.]166[.]188[.]144
217[.]160[.]0[.]246

Where is this happening?

The victims of known attacks reside in Germany, Slovakia, Hungary and the Czech Republic. While as of writing, there is no known U.S.-focused campaign, these tactics could easily be applied, so it’s important auto dealerships stay vigilant.

What is Nuspire doing?

Nuspire is actively threat hunting client environments for indications of compromise, and will continue to report on any new developments to help you stay ahead of these types of attacks.

What should I do?

Nuspire recommends auto dealerships do the following to protect themselves from these types of social engineering campaigns:

• Provide your organization with end user awareness training, and make sure to focus on phishing, as that is the main tactic used in this campaign.
• Look into leveraging an EDR solution with behavior analysis and heuristics to detect malicious behavior and block it.