Malware Continues to Attack German Car Industry for Nearly a Year

A long-running malware campaign targeting German auto manufacturing companies has been revealed in a report by Check Point researchers.

The targets included several German automakers and car dealers, and the attackers registered multiple similar domains for use in the attack by cloning the legitimate sites of companies in the field.

These sites are used to send phishing emails written in German and host malware payloads that are downloaded to target systems.

According to the report, the attack campaign started around July 2021 (and possibly March) and is still ongoing.

Target the German Automotive Industry

A malware infection chain begins with an email sent to a specific target containing an ISO disk image file that bypasses many internet security controls.

The archive in turn contains an HTA file that contains JavaScript or VBScript code that is executed via HTML smuggling.

Malware Infection Chain

This is a technique that is used regularly by hackers of all skill levels, from “script kiddies” who rely on automated toolkits to state hackers who deploy custom backdoors.

When the victim sees the decoy document opened via the HTA file, malicious code runs in the background, fetching and launching the malware payload.

The security researchers noted: “We found multiple versions of these scripts, some triggering PowerShell code, some obfuscated, and others in plain text. They all download and execute various MaaS (Malware as a Service) information stealers. “

The MaaS infostealers used in this campaign varied, including Raccoon Stealer, AZORult, and BitRAT. All three are available for purchase on cybercrime markets and darknet forums.

In later versions of the HTA file, run PowerShell code to change registry values ​​and enable content on the Microsoft Office suite. This eliminates the need for an attacker to trick receivers into enabling macros, reducing the payload drop rate.

Goals and Attribution

Check Point said the 14 targeted entities it has tracked for these attacks are all German organizations with some ties to the auto-manufacturing industry. However, no specific company names were mentioned in the report.

The info-stealing payload was hosted on an Iranian-registered site (“bornagroup[.]ir”), while the same email was used for phishing subdomains such as “groupschumecher[.]com”.

Threat analysts were able to find links to different phishing campaigns targeting Santander customers, verifying that the campaign’s website was hosted on an Iranian ISP.

Attacker’s Infrastructure

All in all, it’s very likely that Iranian threat actors orchestrated the campaign, but Check Point doesn’t have enough evidence to prove its attribution.

Finally, regarding the targeting of the campaign, it is likely industrial espionage or BEC (commercial email compromise) against these companies or their customers, suppliers and contractors.


Today, businesses of all sizes across all industries face the growing threat of ransomware attacks. Storage systems may seem to have little to do with an organization’s cybersecurity posture and policies, but it just might be the best defense. Some features and components of virtual machine backup, such as easy-to-manage, cost-effective, and storage-friendly, make it essential to protect sensitive data from ransomware attacks, helping to create unbreakable cloud storage for enterprise data centers and effectively prevent ransomware attack. Most common used VM backup solution includes VMware Backup, Xenserver Backup, oVirt Backup and so on.