On 7-9 May 2019, Wapack Labs detected an increase in malicious emails with the spoofed sender field  Hackers deliver malicious attachments under the pretense of an incoming SWIFT transfer (Figure 1).

Figure 1. Email text spoofing HHH Marine Services on 8 May 2019.

The attackers use the popular malware Lokibot.  Wapack Labs detected communications of these samples to known and new Lokibot C2s:

  • kbfvzoboss[.]bid/alien/fre.php
  • carlos-tevez[.]gq/raphael/fre.php
  • uenajrkja[.]ml/chibyke/fre.php[1]

HHH Marine & Logistics is a marine transportation and logistic services for shipping, offshore and oil and gas companies.  HHH handles transport services with in-port and outbound supply boats, high-speed agent boats, harbor launch, marine logistics, warehousing, air and sea freight services within Singapore, Indonesian and Malaysian waters.

While we are seeing a significant spike in May 2019, the first use of spoofed email address goes back to as far as 30 Nov 2017.


Prepared by:  Yury Polozov
Serial: TR-19-134-002
Report Date: 05142019
Country: SG, UK, RO
Industries: Maritime, Financial



E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance