Back to the Future Malware and Ships

Cyber-Attacks and the Maritime Sector: Companies and infrastructure within naval and maritime sector companies and their associated infrastructures continue to be vulnerable to cyber related attacks.  In recent years, security experts have observed a growing number of attacks carried out by different types of attackers, including cybercrime syndicates and nation-state actors.  On the morning of 20 September 2018, the Port of Barcelona was hit by a cyber-attack that forced the operators of the port’s infrastructure into their emergency, but manual procedures.  A few days later, computers at the Port of San Diego were infected with ransomware. These incidents impacted both their port operations. 

Attacks to the maritime sector are raising discussion about security for these types of critical infrastructures and undoubtedly reveal that ports and related maritime operations are vulnerable to cyber-attacks.  The increased usage of computer systems for navigation, container inspection, design and manufacturing of vessels is exposing the maritime industry to cyber-threats. The design center, ships and safe navigation, satellite communications systems, tracking systems, marine radar systems and automatic identification systems are just a few examples of potential targets for attackers. 

According to industry experts, the rapid and increasing convergence of IT and operating technology (OT) systems, along with the diffusion of connected devices, is exposing both navies and shipping companies to cyber-threats.  Bad actors launch cyber-attacks for the purpose of either espionage or sabotage.  To mitigate threats, it is necessary to adopt a new model of cybersecurity based on threat intelligence and information sharing on cyber-threats.  The maritime sector is particularly threatened by disruptions due to the role of technology in global trade.

Many cyber-attacks have been carried out on commercial ships.  In one such incident, a commercial ship contracted to the US military was the victim of a cyber-attack powered by suspected Chinese military APT level hackers.  In 2012, China-linked hackers compromised “multiple systems” on a commercial ship, which was on contract to US Transcom.  Throughout 2018, the China-linked APT group Leviathan, aka TEMP.Periscope, increased its attacks on engineering and maritime entities.  In November 2018, the top Australia defense firm Austal, also working with the US Navy, suffered a serious security breach.  Unfortunately, many cyber-events in the maritime industry have remained undetected and thus not shared.  Businesses have been reluctant to reveal these incidents within their industry or, the public for fear of loss in revenue.  Another worrisome aspect is that many organizations in the maritime industry are not properly conducting regular security assessments to evaluate their vulnerability to a cyber-attack.[1]

Case Study:
MartyMcFly Cyber-Espionage Campaign Target the Italian Naval Industry

In 2018, malware researchers at Yorsi security firm uncovered a targeted attack utilizing the MartyMcFly malware[2] against one of the most important companies in the Italian naval industry.  The victim is one of the most important firms of the defensive military-grade naval ecosystem in Italy.  The investigation started after an email was sent to a certain office at this unnamed naval related company.  The message was asking for naval engine “spare part prices”.  The request appeared very legitimate as it was written in perfect Italian language and detailed spare parts matching the real engine parts.  The analyzed email presented two attachments to the victim:

  • A company profile, aiming to present the company who was asking for spare parts
  • A Microsoft.XLSX document where the list of the needed spare parts was apparently available

The attacker asked for a quotation of the entire spare part list that was reported in the attached spreadsheet.  In this scheme, the attackers attempted to trick victims into opening the Microsoft Excel file in an attachment.  Opening up the weaponized file, the result was infection of the MartyMcFly malware.

A deeper analysis of the weaponized file revealed it contained encrypted content: OleObj.1 and OleObj.2.  Both objects are real encrypted OLE[3] objects where the encrypted payload sits in the “EncryptedPackage” section.  Information on how to decrypt it, is then available in the “EncryptionInfo” xml descriptor.  At the time of the analysis, the EncryptionInfo held the encryption algorithm and additional information regarding the payload, but no keys were provided.

The first analysis challenge was to discover how Microsoft Excel is able to decrypt such a content if no password is requested to the end user.  Thus, if the victim opens the document and he/she is not aware of a “secret key,” so how can he/she get infected?  And, why would an attacker use an encrypted payload if the victim cannot open it?  A true conundrum. 

Figure 1.  Stage1: Encrypted Content

Using an encrypted payload is quite a common way to evade antivirus software, since the encrypted payload changes depend upon the key used; but analysts were faced with the question, “What is the key?”  Microsoft Excel implements a common way to open documents called “Read Only.”  In “Read Only” mode, the file can be opened even if encrypted.  Microsoft Excel only asks the user for a decryption key if the user wants to save, print or modify the content.  In that case, Microsoft programmers used a special and static key to decrypt the “Read Only” documents.  The key has the value “VelvetSweatshop.”  

The experts used the “key” to decrypt the content and they were able to extract more objects wrapped in the Excel file, which begins Stage 2.  Stage 2. exposes a new object inclusion.  That object was created on 9 October 2018, but it was seen for the first time on 12 October 2018.  At the time of the analysis, the extracted object is clear text and not encrypted content at all.

The following image shows the extracted object from Stage 2.

Figure 2.  Stage 2: Extracted payload

The payload exploits the CVE-2017-11882 flaw by spawning the Equation Editor, dropping and executing an external PE file.  Analysts defined this Equation Editor dropping and executing as Stage 3.

Stage 4. is represented by the GEqy87.exe executable, a common Windows PE.  It is placed inside an unconventional folder (js/jquery/file/… ), into a compromised and thematic website. This placement usually has a double goal: (a) old-school or unconfigured intrusion detection system (IDS) bypassing, and (b) hiding malicious software inside the well-known and trusted folder structure in order to persist despite website upgrades.  Stage 4. malware is written in Borland Delphi 7.  According to VirusTotal, the software was “seen in the Wild” in 2010 but submitted only on 12 October 2018.

Figure 3.  Stage 4: According to VirusTotal

The analysis of the GEqy87 binary revealed that it was hiding an additional Windows PE.

Stage 5. deploys many evasion tricks, such as GetLastInputIn, SleepX and GetLocalTime to trick debuggers and sandboxes.  It makes an explicit date control check to 0x7E1 (2017).  If the current date is lesser than or equal to 0x7E1, it ends up by skipping the real behavior.  If the current date is, for example, 2018, it runs its behavior by calling “0xEAX” (typical control flow redirection on memory crafted).

Analyst note: Assuming there were no hash collisions over years and that VirusTotal’s “First Seen in The Wild” listing is correct (and not bugged), one might think that everyone is facing a new threat targeting the naval industry, planned in 2010 and executed in 2018.  The name MartyMcFly (a Back to the Future reference) comes from the interesting date-back from Virus Total.

MartyMcFly Is a Broad Campaign

Analysts who further researched the Yoroi report speculate the involvement of a cybercriminal group carrying out spearphishing attacks against various companies in several states, including Germany, Spain, Bulgaria, Kazakhstan, India and Romania.  Speculation is that a cybercriminal group is behind this attack.  The group conducts massive campaigns which send phishing emails to various companies, some of which are critical infrastructure facilities.  The objective of such groups is to steal financial data and money. 

Figure 4.  MartyMcFly attacks

Researchers of the Yoroi report conducted further analysis on the campaign in a joint investigation with Fincantieri, one of the biggest players in the naval industry across Europe.  Fincantieri identified and blocked additional threats targeting the naval company’s-wide infrastructure intercepted during the week of 20 August 2018, a few months before the MartyMcFly campaign.  The team worked to find a link between the attacks targeting Italian naval industries and attempted to attribute the attackers.  The security team observed a message that appears suspicious due to the inconsistent sender’s domain data inside the SMTP headers: 

From: alice.wu@anchors-chain.com
Subject: Quotation on Marine Engine & TC Complete
User-Agent: Horde Application Framework 5
X-PPP-Vhost: jakconstruct.com

The evidence collected during the joint collection and analysis suggests that some still-unspecified threat actor(s) is likely trying to establish a foothold in the Italian naval industry.  It is not possible to confirm that the two waves of attacks have been planned and executed by the same threat actor behind the “MartyMcFly” campaign; many differences such as the distinct type of payload has to be considered as relevant.  At the same time, common elements cannot eliminate a possibility of this relationship.  The following indicators are “likely,” suggesting a correlation behind the two campaigns:

  • Relationship of the service provider and satellite companies within the naval industry sector
  • Usage of domain names which are carefully selected to appear similar to legitimate names of known companies
  • Usage of professional-sounding emails containing reference and documents carefully designed to impersonate other addresses
  • Possible usage of “Microsoft Word 2013”

The MartyMcFly malware attack example is a stark reminder of  the sophisticated bad actors targeting the naval and maritime industry, to include even ship builders.  Wapack Labs provides weekly Maritime Watchlists that identify malicious emails and indicators and reports on Vessel Impersonations.    

For questions, comments or assistance regarding this report, please contact Wapack Labs at 844-492-7225, or feedback@wapacklabs.com

[1] https://resources.infosecinstitute.com/hackers-target-organizations-in-the-naval-and-maritime-sectors/

[2] https://securityaffairs.co/wordpress/77195/malware/martymcfly-malware-cyber-espionage.html

[3] Object Linking & Embedding

You need to be a member of Red Sky Alliance to add comments!