Info stealer campaign targets German Car Dealerships and Manufacturers

Sicherheit (Pexels, allgemeine Nutzung)[German]Security specialists from Check Point Software Technologies have come across an one years-long running cyber attack campaign that targeted German car dealerships and makers as a cover. The goal of the attacks was to use various types of malware to steal information. The actors behind the campaign initially registered several similar-looking domains, all of which imitated existing German car dealerships. The domains were later used to send phishing emails and host the malware infrastructure. Check Point traced the malware and came across an Iranian website that was being used as a hosting site and was not run by a government.


The attackers first set up mail servers with their own domains and used them to send emails. These were meant to attract attention by pointing to various car offers. To the emails, they attached documents such as contracts and receipts related to the alleged deals. These HTA "documents" were archived in ISO/IMG files. Once they were displayed, the threat actors downloaded malware and executed it on the target's computer to steal information.

The identity of the masterminds behind the attack in this case is not clear. Check Point Research found some links to Iranian non-state organizations. But it is unclear if these were legitimate websites that were compromised or if there is a deeper connection to this operation.    

Example of a malicious email:

An email send from kontakt@autohous-lips[.]de poses as an existing company with the actual domain name autohaus-lips[.]de. For a non-German speaker, it is no easy task to formulate a convincing email, contract or receipt that appears authentic to a native speaker. Many attacks can already be detected at this stage and fail at the "social engineering" hurdle.

Fake Autohaus-Seite
Fake car dealer page

"We have discovered a targeted attack on German companies, mainly car dealers. The attackers are using an extensive infrastructure designed to impersonate existing German businesses," notes Yoav Pinkas, security researcher at Check Point Software. "The attackers use phishing emails with a combination of ISO\HTA credentials that infect victims with various malware programs and steal information when opened. We do not have conclusive evidence of the attackers' motivation, but we believe it was about more than just grabbing credit card data or personal information. The targets were carefully selected, and the way the phishing emails were sent allowed for correspondence between the victims and the attackers. One possibility is that the attackers were trying to compromise car dealerships and use their infrastructure and data to gain access to secondary targets such as larger suppliers and manufacturers. This would be useful for BEC (business, email, compromise) fraud or industrial espionage."


One of the ways the experts were able to identify this was by analyzing the design and choice of words in the mail traffic: "Social engineering caught our attention, such as how the threat actors selected the companies they were impersonating, as well as the wording of the emails and attached documents. This type of attack is all about convincing the recipient that the bait is genuine. Simultaneous access to multiple victims gives the attacker a significant advantage. For example, if two of your subcontractors independently report on a topic they already know about or a conversation the targets have had with them, it lends much greater credibility to their request." Check Point has published full details on the Info Stealer campaign in this blog post.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *