vessel impersonation 02 26 2019 - Transportation - Red Sky Alliance2024-03-28T14:17:55Zhttps://redskyalliance.org/transportation/feed/tag/vessel+impersonation+02+26+2019Vessel Impersonation 02 26 2019https://redskyalliance.org/transportation/vessel-impersonation-02-26-20192019-02-27T18:26:10.000Z2019-02-27T18:26:10.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p>Wapack Labs performs weekly queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.  Wapack Labs is providing this weekly list of Motor Vessels in which Wapack Labs directly observed the vessel being impersonated, with associated malicious emails.  The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver them.  Users should never click on or download any attachments or links in suspicious emails.</p>
<p><strong>Significant Vessel Keys Words:</strong></p>
<table width="378">
<tbody>
<tr>
<td width="84">
<p>MT, M/T</p>
</td>
<td width="294">
<p>merchant tanker</p>
</td>
</tr>
<tr>
<td width="84">
<p>MV, M/V</p>
</td>
<td width="294">
<p>merchant vessel</p>
</td>
</tr>
<tr>
<td width="84">
<p>MY, M/Y</p>
</td>
<td width="294">
<p>motor yacht</p>
</td>
</tr>
<tr>
<td width="84">
<p>VLCC</p>
</td>
<td width="294">
<p>very large crude carrier</p>
</td>
</tr>
<tr>
<td width="84">
<p>ULCC</p>
</td>
<td width="294">
<p>ultra large crude carrier</p>
</td>
</tr>
<tr>
<td width="84">
<p>RV, R/V</p>
</td>
<td width="294">
<p>research vessel</p>
</td>
</tr>
<tr>
<td width="84">
<p>FPSO</p>
</td>
<td width="294">
<p>floating production storage & offloading</p>
</td>
</tr>
</tbody>
</table>
<p><strong><a href="{{#staticFileLink}}1216317429,RESIZE_1200x{{/staticFileLink}}" target="_blank" rel="noopener"><img class="align-full" src="{{#staticFileLink}}1216317429,RESIZE_710x{{/staticFileLink}}" width="455" height="186" /></a></strong>Figure 1.  Geo-location of receiving IPs of the malicious emails. Location is not exact and is approximate location of the receiving IP gathered from Wapack Lab’s malicious email collection.</p>
<p><a href="{{#staticFileLink}}1216319947,RESIZE_930x{{/staticFileLink}}" target="_blank" rel="noopener"><img class="align-full" src="{{#staticFileLink}}1216319947,RESIZE_710x{{/staticFileLink}}" width="354" height="253" /></a>Figure 2. MV MEDI OKINAWA, flag Panama, bulk carrier</p>
<p><a href="{{#staticFileLink}}1216326423,RESIZE_710x{{/staticFileLink}}" target="_blank" rel="noopener"><img class="align-full" src="{{#staticFileLink}}1216326423,RESIZE_710x{{/staticFileLink}}" width="459" height="223" /></a><em>Table 1: List of subject lines, motor vessel, type of malware sent and sender data that was seen in Wapack Lab’s malicious email collection from February 19, 2019 to February 26, 2019.</em></p>
<table style="width: 665px;" width="720">
<tbody>
<tr>
<td style="width: 70px;" width="72">
<p><strong> </strong></p>
<p><strong>First Seen</strong></p>
</td>
<td style="width: 485px;" width="84">
<p><strong> </strong></p>
<p><strong>Subject Line Used</strong></p>
</td>
<td style="width: 10px;" width="228">
<p><strong> </strong></p>
<p><strong>Malware Detections</strong></p>
</td>
<td style="width: 166px;" width="150">
<p><strong> </strong></p>
<p><strong>Sending Email</strong></p>
</td>
<td style="width: 158px;" width="186">
<p><strong> </strong></p>
<p><strong>Targets</strong></p>
</td>
</tr>
<tr>
<td style="width: 70px;" width="72">
<p>February 20th 2019</p>
</td>
<td style="width: 485px;" width="84">
<p>Subject consignment expected to arrive your port on MV. CMA CGM Verdi V-250E dated 18/02/2019</p>
</td>
<td style="width: 10px;" width="228">
<p>Ikarus - Trojan-Downloader.O97M.Donoff</p>
</td>
<td style="width: 166px;" width="150">
<p><br />
Ms.Julie Tsukahara-LOGISTICS MATES CORP. <info@esanat.com></p>
</td>
<td style="width: 158px;" width="186">
<p>friterm.com</p>
<p> </p>
<p>esanat.com</p>
<p> </p>
<p>maillocal.friterm.com</p>
</td>
</tr>
<tr>
<td style="width: 70px;" width="72">
<p>February 21st 2019</p>
</td>
<td style="width: 485px;" width="84">
<p>Final Request KOREA MARINECRAFT- for vessel MV MEDI OKINAWA</p>
</td>
<td style="width: 10px;" width="228">
<p>Fortinet - W32/Agent.AJFK!tr<br />
McAfee - Exploit-CVE2017-11882.aj</p>
<p>Sophos - Troj/RtfExp-EV</p>
<p>McAfee-GW-Edition - Exploit-CVE2017-11882.aj</p>
<p>ZoneAlarm - HEUR:Exploit.MSOffice.CVE-2018-0802.gen</p>
<p>Ikarus - Win32.Outbreak</p>
<p>ESET-NOD32 - a variant of DOC/Abnormal.E</p>
</td>
<td style="width: 166px;" width="150">
<p>\"S.S. Hwang\" <kmc@ksmcom.co.kr></p>
</td>
<td style="width: 158px;" width="186">
<p> </p>
</td>
</tr>
</tbody>
</table>
<p>Figure 3. Geo-location of sender IPs of the malicious emails. Location is not exact and is approximate location of the sender IP gathered from Wapack Lab’s malicious email collection. </p>
<p><a href="{{#staticFileLink}}1216411475,RESIZE_930x{{/staticFileLink}}" target="_blank" rel="noopener"><img class="align-full" src="{{#staticFileLink}}1216411475,RESIZE_710x{{/staticFileLink}}" width="347" height="231" /></a>Figure 4.  MV CMA CGM Verdi, Flag: Liberia, container ship</p>
<p><strong>About Wapack Labs</strong></p>
<p>Wapack Labs, located in New Boston, NH, is a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC, and individual corporations.  For questions or comments regarding this report, please contact the lab directly by at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a>.</p>
</div>