Transportation

Summary

Merchant Vessel (M/V) VICTORIA is being impersonated utilizing a spoofed email address from the ship management company, ProFYShip Management, Odessa Ukraine.

The email is being used to spread a Trojan malware:

  • Avast - Win32:Malware-gen;
  • GData - Trojan.Agent.DNJX;
  • MAX - malware (ai score=80);
  • Arcabit - Trojan.Agent.DNJX;
  • Kaspersky - Backdoor.Win32.Androm.qztg;
  • NANO-Antivirus -Trojan.Win32.Stealer.fmccvx;
  • MicroWorld-eScan - Trojan.Agent.DNJX

This impersonation was detected in Wapack Labs malicious email collections, and was used to pass a malicious email targeting both ProFYShip Management and an Indian based freight forwarder, In Synergy India (also located in Hong Kong and Shenzen, China).  The email address is likely taken from a ProFY Ship Management open source shipping site, utilizing a legitimate email.   This demonstrates the use of a maritime sector vessel/company to target or are being used as a conduit for malicious intent. 

 

First Seen

 

Subject Line Used

 

Malware Detections

 

Sending Email

 

Targets

January 23rd 2019

MV VICTORIA

Avast - Win32:Malware-gen

GData - Trojan.Agent.DNJX

MAX - malware (ai score=80)

Arcabit - Trojan.Agent.DNJX

Kaspersky - Backdoor.Win32.Androm.qztg

NANO-Antivirus -Trojan.Win32.Stealer.fmccvx

MicroWorld-eScan -Trojan.Agent.DNJX

Capt.Eduard Chepurnoy <chepurnoy@profyshipmanagement.com>

 

insynergyindia.com

 

profyshipmanagement.com

 

gmail.com

 

crcvmail33.nm.naver.com

Threat

On 23 January 2019, Wapack Labs identified suspicious email activity from proprietary collection sources.  The collection is focused on known maritime keys words used in phishing type attacks to spread various types of malicious malware.

Merchant Vessel VICTORIA[1]

IMO:                      9129029
MMSI:                    636016923
Vessel Type:          BULK CARRIER
Gross Ton.:            27792
Build:                     1997
Flag:                      LIBERIA
Home port:            MONROVIA

In the sender’s field of this malicious email was observed:  “MV VICTORIA. disch abt 7500 mt of wheat in bulk (Agency nomination).”  The M/V VICTORIA is a legitimate bulk carrier, known to transport wheat.  The sender email was: Captain Eduard Chepurnoy, chepurnoy@profyshipmanagement.com, who actually works for the ProFYShip Management company, located in Odessa Ukraine.  ProFYShip is a company which provides the full or part-time ship management and also associated maritime services.  The own six (6) vessels, none of which are involved in this spoof.  On 23 January 2019 both Martine Traffic[2] and Vessel Tracking[3] had the M/V VICTORIA underway from Nemrut Bay, Turkey. 

PROFYSHIP MANAGEMENT
503, Ivan Franko street, 55
65049, Odessa, Ukraine

Office: +380 48 232-51-59
Fax: +380 48 232-55-40
info@profyshipmanagement[.]com
chartering@profyshipmanagement[.]com
crewing@profyshipmanagement[.]com

Domain Name:         PROFYSHIPMANAGEMENT.COM
Registry Domain ID: 1783551259_DOMAIN_COM-VRSN
Reg. WHOIS Server: whois[.]imena[.]ua
Registrar URL:         http://www[.]imena[.]ua
Updated Date:         2019-01-28T13:04:53Z
Creation Date:         2013-03-01T16:24:08Z
Registry Exp Date:    2020-03-01T16:24:08Z
Registrar:                INTERNET INVEST, LTD. DBA IMENA.UA
Registrar IANA ID:    1112

Analyst’s Note: Of interest, the sender email of Captain Eduard Chepurnoy, an actual employee of ProFYShip Management, is targeting the company itself. 

The second target company is In Synergy, an Indian based freight forwarder and logistics company, specializing in marine, air and trucking shipping.

In Synergy

A-41, Sector-64
Noida (New Delhi area), 201-301, India
Telephone: +91-0120-4868990
Email: nodia@insynergyindia[.]com
Offices located in Hong Kong and Shenzen China

Domain Name:         INSYNERGYINDIA[.]COM
Registry Domain ID: 1587645252_DOMAIN_COM-VRSN
Reg. WHOIS Server: whois[.]PublicDomainRegistry[.]com
Registrar URL:         http://www[.]publicdomainregistry[.]com
Updated Date:         2018-04-04T10:40:00Z
Creation Date:         2010-03-05T08:00:24Z
Reg. Expiry Date:     2019-03-05T08:00:24Z
Registrar:                PDR Ltd. d/b/a PublicDomainRegistry[.]com
Registrar                 IANA ID: 303

This information is derived from an official ProFYShip and In Synergy India open source web addresses and likely used for reconnaissance.  This collection and analysis confirm an escalated interest in targeting the maritime/transportation sector by malicious actors.

  • Targets: profyshipmanagement.com: Ukrainian ship management; insynergyindia.com: Indian freight forwarder (offices in Hong Kong and Shenzen CN; insynergyindia.com: a freight forwarder and logistics company located in India and Hong Kong and Shanzen China.
  • Target recipients: ProFYShip: email_68cda7959214df8fcf00b2a08bf8509160ce7e703a0b48a158710eff44b5c9e2; In Synergy India: email_68cda7959214df8fcf00b2a08bf8509160ce7e703a0b48a158710eff44b5c9e2 (may not be compromised)
  • VT Detections: Avast - Win32:Malware-gen; GData - Trojan.Agent.DNJX; MAX - malware (ai score=80); Arcabit - Trojan.Agent.DNJX; Kaspersky - Backdoor.Win32.Androm.qztg; NANO-Antivirus -Trojan.Win32.Stealer.fmccvx; MicroWorld-eScan - Trojan.Agent.DNJX

For questions or comments regarding this report, please contact the Lab directly by at 844-4-WAPACK (1-844-492-7225), or feedback@wapacklabs.com

[1] https://www[.]marinetraffic.com/en/ais/details/ships/shipid:687226/mmsi:636016923/imo:9129029/vessel:VICTORIA

[2] https://www[.]marinetraffic.com/en/ais/home/shipid:687226/zoom:10

[3] https://www[.]vesseltracker.com/en/Ships/Victoria-9129029.html

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance