EXECUTIVE SUMMARY
A highly organised and threat actor has been observed using a combination of remote access tools and a previously unknown signing-as-a-service capability to maintain persistent access to compromised systems. This actor has targeted transportation organisations, specifically load board platforms and freight brokerage systems, in an attempt to facilitate cargo theft and freight fraud. The attacker's reconnaissance activities focused on identifying financial access, including banking, accounting, and payment platforms, as well as transportation-related entities such as fuel card services and fleet payment platforms.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A highly organised and threat actor has been observed using a combination of remote access tools and a previously unknown signing-as-a-service capability to maintain persistent access to compromised systems. This actor has targeted transportation organisations, specifically load board platforms and freight brokerage systems, in an attempt to facilitate cargo theft and freight fraud. The attacker's reconnaissance activities focused on identifying financial access, including banking, accounting, and payment platforms, as well as transportation-related entities such as fuel card services and fleet payment platforms.[emaillocker id="1283"]
The malware infects systems through email attachments or malicious payloads, which are then used to install remote management tools such as ScreenConnect and Pulseway. Once inside, the attacker uses these tools to establish persistence, perform reconnaissance, and harvest credentials. The attacker's use of a signing-as-a-service capability allows them to evade detection and suppress security warnings, making it difficult for organisations to detect the threat.
The malware also uses PowerShell automation to scan for browser extension and desktop cryptocurrency wallets, and exfiltrate positive findings to attacker-controlled Telegram bots. Organisations in the transportation and logistics sectors are particularly vulnerable to this threat, and must take immediate action to protect themselves. This includes monitoring for suspicious PowerShell activity, abnormal browser telemetry, and unauthorized remote management tools. Organisations should also ensure that their systems are up-to-date with the latest security patches, and that they have robust backups in place. Finally, organisations should consider implementing additional security measures, such as endpoint protection and security information and event management (SIEM) tools, to help detect and prevent this type of threat.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Reconnaissance | T1083 | File and Directory Discovery | — |
| Reconnaissance | T1018 | Remote System Discovery | — |
| Initial Access | T1566 | Phishing | — |
| Execution | T1204.002 | User Execution | Malicious File |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| Persistence | T1219 | Remote Access Software | — |
| Persistence | T1133 | External Remote Services | — |
| Defense Evasion | T1553.002 | Subvert Trust Controls | Code Signing |
| Defense Evasion | T1218 | System Binary Proxy Execution | — |
| Defense Evasion | T1036 | Masquerading | — |
| Defense Evasion | T1112 | Modify Registry | — |
| Credential Access | T1555 | Credentials from Password Stores | — |
| Credential Access | T1003 | OS Credential Dumping | — |
| Discovery | T1082 | System Information Discovery | — |
| Discovery | T1518 | Software Discovery | — |
| Collection | T1005 | Data from Local System | — |
| Collection | T1213 | Data from Information Repositories | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Lateral Movement | T1021 | Remote Services | — |
REFERENCES:
reports contain further technical details:
https://www.proofpoint.com/us/blog/threat-insight/beyond-breach-inside-cargo-theft-actors-post-compromise-playbook
https://www.govinfosecurity.com/freight-hacker-wields-code-signing-service-to-evade-defenses-a-31433