Weekly 2018 Motor Vessel (MV) & Motor Tanker (MT) Impersonation

Wapack Labs performs weekly queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.  Wapack Labs is providing this weekly list of Motor Vessels in which Wapack Labs directly observed the vessel being impersonated, with associated malicious emails.  The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver them.  Users should never click on or download any attachments or links in suspicious emails.

Significant Vessel Keys Words:


merchant tanker


merchant vessel


motor yacht


very large crude carrier


ultra large crude carrier


research vessel


floating production storage & offloading


Figure 1.  Geo-location of receiving IPs of the malicious emails. Location is not exact and is approximate location of the receiving IP gathered from Wapack Lab’s malicious email collection.

Figure 2. Geo-location of sender IPs of the malicious emails. Location is not exact and is approximate location of the sender IP gathered from Wapack Lab’s malicious email collection.

Table 1: List of subject lines, motor vessel, type of malware sent and sender data that was seen in Wapack Lab’s malicious email collection from February 12, 2019 to February 19, 2019.


First Seen


Subject Line Used


Malware Detections


Sending Email



February 13th 2019

[SYMSCO] D02011009M - ( M/V Not Specified )

Avast - Win32:Trojan-gen

Avira - TR/Dropper.MSIL.tffrh

Panda - Trj/GdSda.A

BitDefender -Trojan.GenericKD.31684006

Sophos - Troj/MSIL-MBE

DrWeb - Trojan.Fbng.8

F-Secure -Trojan.TR/Dropper.MSIL.tffrh

GData - Trojan.GenericKD.31684006

Max Yim <>

February 13th 2019

[SYMSCO] D02011009M - ( M/V Not Specified )


MAX - malware (ai score=82)

F-Prot -W32/MSIL_Agent.EA.gen!Eldorado

Sophos - Troj/MSIL-MBE

Panda - Trj/GdSda.A

Microsoft -Trojan:Win32/Tiggre!plock

BitDefender -Trojan.GenericKD.31684006\

DrWeb - Trojan.Fbng.8

Antiy-AVL -VCS[Warning]/Email.Agent.1

Max Yim <>

** though the M/V is not specificed, spoofed senders and targets were identified.   Analysts believe SYMSCO is a typo-sqat of SYSCO, a food distributor.  SYSCO has a division called International Food Group that is an export specialty division; IFG delivers expertise in products: ... Freight Management & Freight Forwarding Services; Maritime Insurance Coverage

About Wapack Labs

Wapack Labs, located in New Boston, NH.  We are a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC, and individual corporations by offering expert level targeted intelligence analysis answering some of the hardest questions in Cyber. Wapack Labs’ engineers, researchers, and analysts design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information, using deep analysis techniques and visualization. Information derived from these tools and techniques serve as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world.  For questions or comments regarding this report, please contact the lab directly by at 1-844-492-7225, or

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance