Cyber Incident Victim: LES Automotive
Date:
Apr 2024
Location:
United States of America
Summary
A supply chain attack compromised a third-party video service used by over 100 auto dealerships, injecting malicious JavaScript into their websites. Visitors were redirected to a fraudulent ClickFix webpage mimicking reCAPTCHA verification, which tricked users into executing PowerShell commands that downloaded and executed SectopRAT malware. The attack employed dynamic payload injection to evade detection, with obfuscated scripts containing Russian-language comments and leveraging compromised domains for redirection. The malware deployment involved fetching ZIP archives from attacker-controlled servers, ultimately enabling remote access through the trojan. LES Automotive, the compromised service provider, reportedly remediated the issue after detection.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The supply chain attack impacting over 100 auto dealerships originated from the compromise of LES Automotive, a third-party video service provider whose JavaScript integration (les_video_srp.js) was embedded across dealership websites. Attackers modified this script to dynamically inject malicious code that redirected visitors to a fraudulent CAPTCHA verification page hosted on compromised infrastructure (deliveryoka.com/webservice_ionic/captchav2.html). This page, active since at least April 2024 based on file timestamps, employed a ClickFix social engineering tactic by instructing users to prove they were not robots. Victims clicking the checkbox triggered a script that copied a malicious PowerShell command to their clipboard, disguised as part of the verification process. The script contained a Russian-language comment (“Очистите предыдущий таймаут” / “Clear the previous timeout”), suggesting potential actor origins. The attack selectively served malicious payloads, with most URLscan.io inspections showing benign scripts, indicating dynamic targeting or evasion measures.
The PowerShell command executed a base64-encoded script that downloaded additional payloads from attacker-controlled domains (bitly.cx, main-login.sbs), ultimately retrieving a ZIP archive (Lancaster.zip) containing the SectopRAT remote access trojan. This malware established communication with a command-and-control server (92.255.85.36:9000) post-execution. Security researchers identified the attack through URLscan.io transactions revealing the malicious script injections and sandbox analysis (Triage) confirming SectopRAT’s presence with a maximum threat score. LES Automotive remediated the compromise, halting further infections. The incident exemplified the ClickFix technique’s escalation, previously documented by HHS in October 2024 as a tool of Russian-speaking threat actors and observed in parallel campaigns against the hospitality sector. Over 100 dealerships were confirmed affected, with visitors subjected to malware installation attempts during the compromise window.