mv tianjin - Transportation - Red Sky Alliance
2024-03-29T06:50:47Z
https://redskyalliance.org/transportation/feed/tag/mv+tianjin
Vessel Impersonation 01 30 2019
https://redskyalliance.org/transportation/vessel-impersonation-01-30-2019
2019-01-31T20:56:33.000Z
2019-01-31T20:56:33.000Z
Bill Schenkelberg
https://redskyalliance.org/members/BillSchenkelberg
<div><p><strong>Weekly 2018 Motor Vessel (MV) & Motor Tanker (MT) Impersonation</strong></p>
<p>Wapack Labs performs weekly queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.  Wapack Labs is providing this weekly list of Motor Vessels in which Wapack Labs directly observed the vessel being impersonated, with associated malicious emails.  The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver them.  Users should never click on or download any attachments or links in suspicious emails.</p>
<p><strong>Significant Vessel Keys Words:</strong></p>
<table width="378">
<tbody>
<tr>
<td width="84">
<p>MT, M/T</p>
</td>
<td width="294">
<p>merchant tanker</p>
</td>
</tr>
<tr>
<td width="84">
<p>MV, M/V</p>
</td>
<td width="294">
<p>merchant vessel</p>
</td>
</tr>
<tr>
<td width="84">
<p>MY, M/Y</p>
</td>
<td width="294">
<p>motor yacht</p>
</td>
</tr>
<tr>
<td width="84">
<p>VLCC</p>
</td>
<td width="294">
<p>very large crude carrier</p>
</td>
</tr>
<tr>
<td width="84">
<p>ULCC</p>
</td>
<td width="294">
<p>ultra large crude carrier</p>
</td>
</tr>
<tr>
<td width="84">
<p>RV, R/V</p>
</td>
<td width="294">
<p>research vessel</p>
</td>
</tr>
<tr>
<td width="84">
<p>FPSO</p>
</td>
<td width="294">
<p>floating production storage & offloading</p>
</td>
</tr>
</tbody>
</table>
<p><strong> <a href="{{#staticFileLink}}934000693,original{{/staticFileLink}}" target="_blank" rel="noopener"><img class="align-full" src="{{#staticFileLink}}934000693,RESIZE_710x{{/staticFileLink}}" width="710" /></a></strong></p>
<p>Figure 1.  Geo-location of receiving IPs of the malicious emails. Location is not exact and is approximate location of the receiving IP gathered from Wapack Lab’s malicious email collection.</p>
<p><a href="{{#staticFileLink}}934002673,original{{/staticFileLink}}" target="_blank" rel="noopener"><img class="align-full" src="{{#staticFileLink}}934002673,RESIZE_710x{{/staticFileLink}}" width="710" /></a>Figure 2. Geo-location of sender IPs of the malicious emails. Location is not exact and is approximate location of the sender IP gathered from Wapack Lab’s malicious email collection.</p>
<p><em>Table 1: List of subject lines, motor vessel, type of malware sent and sender data that was seen in Wapack Lab’s malicious email collection from January 15, 2019 to January 22, 2019.</em></p>
<table width="720">
<tbody>
<tr>
<td width="66">
<p><strong> </strong></p>
<p><strong>First Seen</strong></p>
</td>
<td width="90">
<p><strong> </strong></p>
<p><strong>Subject Line Used</strong></p>
</td>
<td width="228">
<p><strong> </strong></p>
<p><strong>Malware Detections</strong></p>
</td>
<td width="150">
<p><strong> </strong></p>
<p><strong>Sending Email</strong></p>
</td>
<td width="186">
<p><strong> </strong></p>
<p><strong>Targets</strong></p>
</td>
</tr>
<tr>
<td width="66">
<p>January 23rd 2019</p>
</td>
<td width="90">
<p>MV VICTORIA. disch abt 7500 mt of wheat in bulk (Agency nomination)</p>
</td>
<td width="228">
<p>Avast - Win32:Malware-gen</p>
<p> </p>
<p>GData - Trojan.Agent.DNJX</p>
<p> </p>
<p>MAX - malware (ai score=80)</p>
<p> </p>
<p>Arcabit - Trojan.Agent.DNJX</p>
<p> </p>
<p>Backdoor.Win32.Androm.qztg - Kaspersky,</p>
<p> </p>
<p>NANO-Antivirus -Trojan.Win32.Stealer.fmccvx</p>
<p> </p>
<p>MicroWorld-eScan -Trojan.Agent.DNJX</p>
<p> </p>
</td>
<td width="150">
<p>Capt.Eduard Chepurnoy <chepurnoy@profyshipmanagement.com></p>
<p> </p>
</td>
<td width="186">
<p>insynergyindia.com</p>
<p> </p>
<p>profyshipmanagement.com</p>
<p> </p>
<p>gmail.com</p>
<p> </p>
<p>crcvmail33.nm.naver.com</p>
</td>
</tr>
<tr>
<td width="66">
<p><br />
January 23rd 2019</p>
<p> </p>
</td>
<td width="90">
<p><br />
[Ceci est un spam?] MV YIANNIS TO DISCHARGE 50,000MT OF Hot</p>
<p> </p>
</td>
<td width="228">
<p>Kaspersky -Backdoor.Win32.Androm.ralq</p>
<p> </p>
<p>Antiy-AVL -VCS[Warning]/Email.Agent.1</p>
<p> </p>
<p>DrWeb - Trojan.PWS.Stealer.23680</p>
<p> </p>
<p>Avast - Win32:Trojan-gen</p>
<p> </p>
<p>Microsoft -Trojan:Win32/Sonbokli.A!cl</p>
<p> </p>
<p>ZoneAlarm -Backdoor.Win32.Androm.ralq</p>
</td>
<td width="150">
<p>Glory Marine Services <account07@qetour.com></p>
</td>
<td width="186">
<p>smte.diplomatie.gouv.fr</p>
<p> </p>
<p>smtp-inet.proxy.diplomatie.gouv.fr</p>
<p> </p>
<p>qetour.com</p>
<p> </p>
<p>slu01ex00001.slu01.diplomatie.gouv.fr</p>
<p> </p>
<p>slu01ex00001.diplomatie.gouv.fr</p>
<p> </p>
<p>az011mx01c13.diplomatie.gouv.fr</p>
<p> </p>
<p>diplomatie.gouv.fr</p>
<p> </p>
<p>gateway.goholidaytour.com</p>
<p> </p>
<p>az001av01934.diplomatie.gouv.fr</p>
</td>
</tr>
<tr>
<td width="66">
<p>January 23rd 2019</p>
</td>
<td width="90">
<p>Re: MV. TBN - PDA FOR LOADING ABOUT 55/57, 000 MT COAL IN BULK OUT OF SAMARINDA</p>
</td>
<td width="228">
<p> TSPY_HPLOKI.SMBD - TrendMicro</p>
<p> </p>
<p>Win32.Outbreak - Ikarus</p>
<p> </p>
<p>Sophos Mal/Fareit-Q</p>
<p> </p>
<p>AhnLab-V3 –</p>
<p>Win-Trojan/Delphiless.Exp</p>
<p> </p>
<p>ZoneAlarm -HEUR:Trojan.Win32.Generic</p>
<p> </p>
<p>Kaspersky -HEUR:Trojan.Win32.Generic</p>
</td>
<td width="150">
<p> </p>
<p>OPS - 1 <admin@webserviceupdate.cf></p>
</td>
<td width="186">
<p>hmsfareast.com</p>
</td>
</tr>
<tr>
<td width="66">
<p>January 23rd 2019</p>
</td>
<td width="90">
<p>MV Tianjin Highway - request for quotation for Docking Repair</p>
<p> </p>
</td>
<td width="228">
<p>Arcabit - Trojan.Zmutzy.804</p>
<p> </p>
<p>Ikarus - Win32.SuspectCrc</p>
<p> </p>
<p>Avast - Win32:Malware-gen</p>
<p> </p>
<p>Fortinet - W32/Injector.EDAC!tr</p>
<p> </p>
<p>BitDefender -Trojan.GenericKD.31564343</p>
<p> </p>
<p>Antiy-AVL - VCS[Warning]/Email.Agent.1</p>
<p> </p>
<p>Rising - Trojan.Injector!1.B459 (CLASSIC)</p>
</td>
<td width="150">
<p>KRBS Yanagida Hiroshi <yanagda.hiroshi@krbs.jp></p>
</td>
<td width="186">
<p><br />
mail.zelda.com</p>
<p> </p>
<p>kraeber.de</p>
<p> </p>
<p>zelda.com</p>
<p> </p>
<p>vanessa.inwise.de</p>
<p> </p>
<p>krbs.jp</p>
<p> </p>
</td>
</tr>
<tr>
<td width="66">
<p>January 24th 2019</p>
</td>
<td width="90">
<p>MV ASIAN TRIUMPH IMO 9474668</p>
</td>
<td width="228">
<p>Kaspersky - HEUR:Exploit.MSOffice.Generic</p>
<p> </p>
<p>TrendMicro - HouseCall - Mal_HPGen-37b</p>
<p> </p>
<p>Qihoo-360 - virus.exp.21711882.b</p>
<p> </p>
<p>Antiy-AVL - Trojan[Exploit]/RTF.CVE-2017-11882</p>
</td>
<td width="150">
<p>Vanbloom Shipping Limited <elainezuo@vanbloomship.com></p>
</td>
<td width="186">
<p>cdex01.cidoshipping.com</p>
<p> </p>
<p>vanbloomship.com</p>
<p> </p>
<p>jennifer.com</p>
<p> </p>
<p>torai9.com</p>
<p> </p>
<p>cdex02.cidoshipping.com</p>
<p> </p>
<p>spam.cidoship.com</p>
</td>
</tr>
<tr>
<td width="66">
<p>January 24th 2019</p>
</td>
<td width="90">
<p>Re: MV. TBN - PDA FOR LOADING ABOUT 55/57, 000 MT COAL IN BULK OUT</p>
</td>
<td width="228">
<p>AVG - Win32:Malware-gen</p>
<p> </p>
<p>BitDefender - Trojan.GenericKD.40977705</p>
<p> </p>
<p>Kaspersky - HEUR:Trojan.Win32.Kryptik.gen</p>
<p> </p>
<p>F-Secure - Trojan.GenericKD.40977705</p>
<p> </p>
<p>Avast - Win32:Malware-gen</p>
<p> </p>
<p>MicroWorld-eScan - Trojan.GenericKD.40977705</p>
</td>
<td width="150">
<p>OPS - 1 <admin@webserviceupdate.cf></p>
<p> </p>
</td>
<td width="186">
<p>we0.webserviceupdate.cf</p>
<p> </p>
<p>hmsfeex101.hmsfe.net</p>
<p> </p>
<p>hmsfareast.com</p>
<p> </p>
<p>yahoo.co.id</p>
<p> </p>
<p>gmail.com</p>
</td>
</tr>
<tr>
<td width="66">
<p>January 24th 2019</p>
</td>
<td width="90">
<p>MV ICE RIVER - VOY 201901 / OUR PFDA /</p>
</td>
<td width="228">
<p>Rising - Exploit.CVE-2017-11882/SLT!1.AEE3 (CLASSIC)</p>
<p> </p>
<p>TrendMicro - Trojan.W97M.CVE201711882.SMAL02</p>
<p> </p>
<p>NANO-Antivirus - Exploit.OleNative.CVE-2017-11882.evenbv</p>
<p> </p>
<p>Ad-Aware - Exploit.CVE-2017-11882.Gen</p>
<p> </p>
<p>Ikarus - PWS.HTML.Phish</p>
<p> </p>
<p>Cyren - CVE-2017-11882!Camelot</p>
</td>
<td width="150">
<p>Maestro Reefers <reefer@maestroshipping.com></p>
<p> </p>
</td>
<td width="186">
<p><br />
comaco-italy.com</p>
<p> </p>
<p>hmsfeex101.hmsfe.net</p>
<p> </p>
<p>hmsfareast.com</p>
<p> </p>
<p>medmaritimebrokers.com</p>
<p> </p>
<p>maestroshipping.com</p>
<p> </p>
</td>
</tr>
<tr>
<td width="66">
<p>January 24th 2019</p>
</td>
<td width="90">
<p>MV WAF PASSION / Port Agency Appointment</p>
<p> </p>
</td>
<td width="228">
<p>AVG - Win32:Malware-gen</p>
<p> </p>
<p>Antiy-AVL - Trojan[Exploit]/RTF.CVE-2017-11882</p>
<p> </p>
<p>ZoneAlarm - HEUR:Exploit.MSOffice.CVE-2018-0802.gen</p>
<p> </p>
<p>Ikarus - Win32.Outbreak</p>
<p> </p>
<p>Avast - Win32:Malware-gen</p>
<p> </p>
<p>Qihoo-360 - virus.exp.21711882.b</p>
</td>
<td width="150">
<p>Jisung Shipping Co., Ltd (Shanghai Office)</p>
<p><mabongshangha@mabong.co.kr></p>
</td>
<td width="186">
<p>ngay21.com</p>
<p> </p>
<p>ykk.co.kr</p>
<p> </p>
<p>mx1.ykk.co.kr</p>
<p> </p>
<p>mabong.co.kr</p>
<p> </p>
<p>fussel.com.cn</p>
<p> </p>
<p>joseph.com</p>
<p> </p>
<p>bnkorg01.ykk.co.kr</p>
</td>
</tr>
<tr>
<td width="66">
<p>January 24th 2019</p>
</td>
<td width="90">
<p>MV \"Alentejo\" TO DISCHARGE 50,000MT OF Hot Briquettted Iron (HBI)</p>
</td>
<td width="228">
<p>ZoneAlarm - Backdoor.Win32.Androm.rahj</p>
<p> </p>
<p>AVG - Win32:Malware-gen,Fortinet - W32/Fareit.L!tr.pws</p>
<p> </p>
<p>GData - Trojan.GenericKD.31549065</p>
<p> </p>
<p>NANO-Antivirus - Trojan.Win32.Stealer.fminkg</p>
<p> </p>
<p>Emsisoft - Trojan.GenericKD.31549065 (B)</p>
</td>
<td width="150">
<p>GLOBAL ALLIANCE SHIPPING <TANKER@GASHlP.COM></p>
<p> </p>
</td>
<td width="186">
<p>gashlp.com</p>
<p> </p>
<p>leopardscourier.com</p>
<p> </p>
<p>rcm.it</p>
<p> </p>
<p>macroclean.it</p>
<p> </p>
<p>gaship.com</p>
<p> </p>
<p>zimbra.rcm.it</p>
</td>
</tr>
</tbody>
</table>
<p><strong>About Wapack Labs</strong></p>
<p>Wapack Labs, located in New Boston, NH.  We are a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC, and individual corporations by offering expert level targeted intelligence analysis answering some of the hardest questions in Cyber. Wapack Labs’ engineers, researchers, and analysts design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information, using deep analysis techniques and visualization. Information derived from these tools and techniques serve as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world.  For questions or comments regarding this report, please contact the lab directly by at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a>.</p>
</div>