Malware Continues to Attack German Car Industry for Nearly a Year

A long-running malware campaign targeting German auto manufacturing companies has been revealed in a report by Check Point researchers.

The targets included several German automakers and car dealers, and the attackers registered multiple similar domains for use in the attack by cloning the legitimate sites of companies in the field.

These sites are used to send phishing emails written in German and host malware payloads that are downloaded to target systems.

According to the report, the attack campaign started around July 2021 (and possibly March) and is still ongoing.

Target the German Automotive Industry

A malware infection chain begins with an email sent to a specific target containing an ISO disk image file that bypasses many internet security controls.

The archive in turn contains an HTA file that contains JavaScript or VBScript code that is executed via HTML smuggling.

Malware Infection Chain

This is a technique that is used regularly by hackers of all skill levels, from “script kiddies” who rely on automated toolkits to state hackers who deploy custom backdoors.

When the victim sees the decoy document opened via the HTA file, malicious code runs in the background, fetching and launching the malware payload.

The security researchers noted: “We found multiple versions of these scripts, some triggering PowerShell code, some obfuscated, and others in plain text. They all download and execute various MaaS (Malware as a Service) information stealers. ”

The MaaS info stealers used in this campaign varied, including Raccoon Stealer, AZORult, and BitRAT. All three are available for purchase on cybercrime markets and darknet forums.

In later versions of the HTA file, run PowerShell code to change registry values ​​and enable content on the Microsoft Office suite. This eliminates the need for an attacker to trick receivers into enabling macros, reducing the payload drop rate.

Goals and Attribution

Check Point said the 14 targeted entities it has tracked for these attacks are all German organizations with some ties to the auto-manufacturing industry. However, no specific company names were mentioned in the report.

The info-stealing payload was hosted on an Iranian-registered site (“bornagroup[.]ir”), while the same email was used for phishing subdomains such as “groupschumecher[.]com”.

Threat analysts were able to find links to different phishing campaigns targeting Santander customers, verifying that the campaign’s website was hosted on an Iranian ISP.

Attacker’s Infrastructure

All in all, it’s very likely that Iranian threat actors orchestrated the campaign, but Check Point doesn’t have enough evidence to prove its attribution.

Finally, regarding the targeting of the campaign, it is likely industrial espionage or BEC (commercial email compromise) against these companies or their customers, suppliers and contractors.


Today, businesses of all sizes across all industries face the growing threat of ransomware attacks. Storage systems may seem to have little to do with an organization’s cybersecurity posture and policies, but it just might be the best defense. Some features and components of virtual machine backup, such as easy-to-manage, cost-effective, and storage-friendly, make it essential to protect sensitive data from ransomware attacks, helping to create unbreakable cloud storage for enterprise data centers and effectively prevent ransomware attack. Most common used VM backup solution includes VMware Backup, Xenserver Backup, oVirt Backup and so on.

Explore more

Books on Cryptocurrencies and Blockchain Technology Worth Reading

Books on Cryptocurrencies and Blockchain Technology Worth Reading

You're diving into cryptocurrencies and blockchain technology, and these books are essential. 'Mastering Bitcoin' by Andreas M. Antonopoulos offers deep technical insights on Bitcoin's...
Office Desk

How to Personalize Your Office Desk for Comfort and Efficiency

Personalizing your office desk is essential for creating a workspace that enhances both comfort and efficiency. An organized and well-designed desk can boost productivity,...

Prune Trees, Shrubs, And Flowers For Healthy Growth

Pruning is essential. It helps flowers, shrubs, and trees stay healthy and shaped. All plants need pruning at the right time. The ideal seasons...

One Click Away: Why You Should Buy Travel Insurance Online

We live in a world where convenience is given the most importance, whether it is a product or service. As the world moves towards...
Summer Survival

Summer Survival Guide: How to Stay Cool and Comfortable

With summer just around the corner, it’s safe to say that the days will become warmer as temperatures start to rise. It may seem...

How to Hire a General Contractor: Checklist and Tips

By Hovik Akopyan, General Contractor at Akopi Builders Introduction When embarking on a construction project, whether it’s a new build or a major renovation, the decision...

Cryptocurrency Security: Shielding Your Digital Fortune

Embark on a journey to fortify your digital wealth in the realm of cryptocurrencies. From the rise of digital currencies to the evolving landscape...
5 Reasons Why You Should Hire A Roofing Company 

5 Reasons Why You Should Hire A Roofing Company 

When it comes to maintaining the integrity and longevity of your home, the importance of a sturdy, well-maintained roof cannot be overstated. However, problems...