Merchant Vessel (M/V) VICTORIA is being impersonated utilizing a spoofed email address from the ship management company, ProFYShip Management, Odessa Ukraine.
The email is being used to spread a Trojan malware:
- Avast - Win32:Malware-gen;
- GData - Trojan.Agent.DNJX;
- MAX - malware (ai score=80);
- Arcabit - Trojan.Agent.DNJX;
- Kaspersky - Backdoor.Win32.Androm.qztg;
- NANO-Antivirus -Trojan.Win32.Stealer.fmccvx;
- MicroWorld-eScan - Trojan.Agent.DNJX
This impersonation was detected in Wapack Labs malicious email collections, and was used to pass a malicious email targeting both ProFYShip Management and an Indian based freight forwarder, In Synergy India (also located in Hong Kong and Shenzen, China). The email address is likely taken from a ProFY Ship Management open source shipping site, utilizing a legitimate email. This demonstrates the use of a maritime sector vessel/company to target or are being used as a conduit for malicious intent.
Subject Line Used
January 23rd 2019
Avast - Win32:Malware-gen
GData - Trojan.Agent.DNJX
MAX - malware (ai score=80)
Arcabit - Trojan.Agent.DNJX
Kaspersky - Backdoor.Win32.Androm.qztg
Capt.Eduard Chepurnoy <firstname.lastname@example.org>
On 23 January 2019, Wapack Labs identified suspicious email activity from proprietary collection sources. The collection is focused on known maritime keys words used in phishing type attacks to spread various types of malicious malware.
Merchant Vessel VICTORIA
Vessel Type: BULK CARRIER
Gross Ton.: 27792
Home port: MONROVIA
In the sender’s field of this malicious email was observed: “MV VICTORIA. disch abt 7500 mt of wheat in bulk (Agency nomination).” The M/V VICTORIA is a legitimate bulk carrier, known to transport wheat. The sender email was: Captain Eduard Chepurnoy, email@example.com, who actually works for the ProFYShip Management company, located in Odessa Ukraine. ProFYShip is a company which provides the full or part-time ship management and also associated maritime services. The own six (6) vessels, none of which are involved in this spoof. On 23 January 2019 both Martine Traffic and Vessel Tracking had the M/V VICTORIA underway from Nemrut Bay, Turkey.
Office: +380 48 232-51-59
Fax: +380 48 232-55-40
Domain Name: PROFYSHIPMANAGEMENT.COM
Registry Domain ID: 1783551259_DOMAIN_COM-VRSN
Reg. WHOIS Server: whois[.]imena[.]ua
Registrar URL: http://www[.]imena[.]ua
Updated Date: 2019-01-28T13:04:53Z
Creation Date: 2013-03-01T16:24:08Z
Registry Exp Date: 2020-03-01T16:24:08Z
Registrar: INTERNET INVEST, LTD. DBA IMENA.UA
Registrar IANA ID: 1112
Analyst’s Note: Of interest, the sender email of Captain Eduard Chepurnoy, an actual employee of ProFYShip Management, is targeting the company itself.
The second target company is In Synergy, an Indian based freight forwarder and logistics company, specializing in marine, air and trucking shipping.
Noida (New Delhi area), 201-301, India
Offices located in Hong Kong and Shenzen China
Domain Name: INSYNERGYINDIA[.]COM
Registry Domain ID: 1587645252_DOMAIN_COM-VRSN
Reg. WHOIS Server: whois[.]PublicDomainRegistry[.]com
Registrar URL: http://www[.]publicdomainregistry[.]com
Updated Date: 2018-04-04T10:40:00Z
Creation Date: 2010-03-05T08:00:24Z
Reg. Expiry Date: 2019-03-05T08:00:24Z
Registrar: PDR Ltd. d/b/a PublicDomainRegistry[.]com
Registrar IANA ID: 303
This information is derived from an official ProFYShip and In Synergy India open source web addresses and likely used for reconnaissance. This collection and analysis confirm an escalated interest in targeting the maritime/transportation sector by malicious actors.
- Targets: profyshipmanagement.com: Ukrainian ship management; insynergyindia.com: Indian freight forwarder (offices in Hong Kong and Shenzen CN; insynergyindia.com: a freight forwarder and logistics company located in India and Hong Kong and Shanzen China.
- Target recipients: ProFYShip: email_68cda7959214df8fcf00b2a08bf8509160ce7e703a0b48a158710eff44b5c9e2; In Synergy India: email_68cda7959214df8fcf00b2a08bf8509160ce7e703a0b48a158710eff44b5c9e2 (may not be compromised)
- VT Detections: Avast - Win32:Malware-gen; GData - Trojan.Agent.DNJX; MAX - malware (ai score=80); Arcabit - Trojan.Agent.DNJX; Kaspersky - Backdoor.Win32.Androm.qztg; NANO-Antivirus -Trojan.Win32.Stealer.fmccvx; MicroWorld-eScan - Trojan.Agent.DNJX
For questions or comments regarding this report, please contact the Lab directly by at 844-4-WAPACK (1-844-492-7225), or firstname.lastname@example.org