Remote Access, Real cargo: Cybercriminals Targeting Trucking and Logistics

Digital Transformation of Cargo Theft

Cybercriminal groups are compromising trucking and logistics companies by delivering remote monitoring and management (RMM) tools to gain control of systems, then using the access to post fake freight loads, bid on shipments and steal physical cargo for financial gain.

Investigation

The threat cluster has been active since at least June 2025 and uses RMM products such as ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N‑able and LogMeIn Resolve. After initial access via compromised load‑board accounts or phishing emails, actors perform network reconnaissance and deploy credential harvesters like WebBrowserPassView. They then exploit industry workflows to post fraudulent loads and coordinate theft. The campaign leverages signed legitimate RMM installers to evade detection and has been linked to prior activity delivering NetSupport and other stealers.

Mitigation

Organizations should restrict installation of unapproved RMM software, implement network detection rules for known RMM domains and signatures, block executable and MSI files delivered by email from external senders, enforce multi‑factor authentication for load‑board and email accounts, and provide user training to recognize phishing attempts.

Response

If a compromise is detected, isolate the affected endpoints, revoke compromised credentials, remove unauthorized RMM agents, conduct forensic analysis to identify C2 infrastructure, and notify law enforcement and insurance providers. Review and harden load‑board account security and monitor for fraudulent load postings.

Simulation Instructions

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

• Attack Narrative & Commands:
  An adversary has compromised the email account of a senior logistics manager (“carla@logistics.com”). To maximize delivery success, the attacker replies to an existing thread about a recent shipment (“load confirmation”) and inserts a malicious link that points to an executable installer for a Remote Monitoring and Management (RMM) tool. The subject line deliberately contains the word “load” to satisfy the rule’s subject filter. When the recipient clicks the link, the network connection logs will show an outbound HTTP request to a malicious domain serving an .exe and .msi payload.

  1. Compose malicious email (subject includes “load”, body contains both “.exe” and “.msi” strings).
  2. Send via the compromised account.
  3. Optionally, simulate the click by invoking Invoke-WebRequest from the victim machine to generate the network connection telemetry.

• Regression Test Script:

  <# 
  Simulation script for T1219 / T1566.001.
  Steps:
    1. Send malicious email with required strings.
    2. (Optional) Simulate a click to generate network traffic.
  #>
  
  # ==== 1. Send malicious email ====
  $smtpServer = "smtp.mycompany.com"
  $from       = "carla@logistics.com"
  $to         = "dave@logistics.com"
  $subject    = "Load Confirmation – Action Required"
  $body       = @"
  Hi Dave,
  
  Please review the updated load details and download the latest processing tool: