An unknown threat actor suspected to be in Poland has been targeting auto dealerships in a social engineering campaign. Here’s what we know.
The threat actor contacts the auto dealership’s sales team through email communication and provides a malicious link stating they are interested in buying a vehicle. If interacted with, the link downloads a malicious VBScript.
Nuspire was able to obtain a sample of the VBScript and analyze its behavior. If the script is executed, it modifies the victim PC’s browser phishing filter, installs Remcos malware, detects storage devices and attempts to interact with them, likely to execute ransomware
Indicators of compromise (IOCs) are pieces of data that indicate a potential attack. Here are the specific IOCs for this social engineering campaign:
The victims of known attacks reside in Germany, Slovakia, Hungary and the Czech Republic. While as of writing, there is no known U.S.-focused campaign, these tactics could easily be applied, so it’s important auto dealerships stay vigilant.
Nuspire is actively threat hunting client environments for indications of compromise, and will continue to report on any new developments to help you stay ahead of these types of attacks.
Nuspire recommends auto dealerships do the following to protect themselves from these types of social engineering campaigns: