The attack campaign started in early August and targeted rental, insurance, transport and secondary market businesses for commercial and agricultural vehicles.
The attackers distributed their malware program through spear-phishing emails claiming to originate from a company called Technik Automobile that was seeking to acquire used and pre-owned vehicles. The emails contained an attachment that was supposedly a list of vehicles, but in fact contained an installer for a Trojan program called Carbon Grabber.
Carbon Grabber is capable of stealing log-in credentials for various Web services, including online banking websites and internal Web applications. It can also steal Microsoft Outlook credentials and use them to send emails on behalf of the victims.