German Manufacturing Under Phishing Attacks - Tracking a Stealthy AsyncRAT Campaign

Manufacturing companies have quietly become one of the most hunted species in the modern threat landscape. Manufacturing is among the top industries targeted by ransomware groups and advanced campaigns, often with region-specific lures. Attackers continue to favor invoice-themed and supplier-related emails, carefully localized to increase trust and click-through rates in manufacturing environments.

A specific case revealed a sophisticated and targeted approach. This attack leveraged the brand of a popular software provider in Germany, indicating specific targeting of German companies. What made this case particularly noteworthy was the combination of exploitation of a recently disclosed vulnerability, simultaneous deployment of two Remote Access Trojans (RATs): AsyncRAT and XWorm, and highly convincing social engineering tactics. The attack targeted a German construction and engineering services company through a carefully crafted phishing email. The sender spoofing used a legitimate company name, “COMPANY_NAME eG”, with the actual sender using a German domain (g.bader-gmbh@gmx[.]de) for additional authenticity. The email content was designed as an invoice notification from COMPANY_NAME, including a document number and date for legitimacy, and a professional design. A malicious link embedded in the message redirected victims to Dropbox, where a file named “COMPANY_NAME -Rechnung Nr. 21412122025.pdf.zip” awaited download.

Obfuscation techniques included a double file extension (.pdf.zip) to disguise the true file type, and the archive contained “COMPANY_NAME-Rechnung Nr. 21412122025.pdf.url”, a shortcut file masquerading as a PDF. At the time of analysis, this file was flagged as malicious by only one vendor on VirusTotal, suggesting a fresh sample designed to bypass traditional security controls. The attack leveraged CVE-2024-43451, a vulnerability that enables automatic WebDAV connections without actually opening the .url file. During archive processing or interaction with the attachment, the system automatically connects to a remote resource. Launching this file triggered subsequent attack stages, resulting in XWorm and AsyncRAT deployment. Notably, similar WebDAV-based techniques exploiting this vulnerability have been observed in APT activity, confirming this as a well-established attack pattern.

Identifying one attack is only the beginning. Researchers found 35 analyses matching specified parameters, almost all uploaded starting November 4, confirming recent activity. Multiple instances showed Dropbox connections for ZIP archive delivery. When analyzing the industry and geography breakdown, Manufacturing remained one of the top targeted industries, with nearly two-thirds of executions occurring in Germany. The same core techniques appeared repeatedly: CVE-2024-43451, WebDAV abuse, AsyncRAT, and XWorm. A lookup for CVE-2024-43451 showed that most samples originate from the EU, with Germany accounting for roughly half of them. This case clearly showed that attacks using COMPANY_NAME-themed lures, WebDAV and CVE-2024-43451 abuse remain highly relevant for manufacturing companies, especially in Germany.

Instead of reacting to alerts after compromise, malware analysts can identify active campaigns targeting their industry and region, understand attacker techniques before they reach production, prioritize threats based on real-world repetition and relevance, and feed high-confidence indicators into detection and prevention systems.

To read the complete article see: https://any.run/cybersecurity-blog/german-manufacture-attack/