M/V YI CHUN Impersonation

805275474?profile=RESIZE_400x

M/V YI CHUN is being impersonated luring ships and maritime industry companies into spreading various versions of Trojan malware families.  Collection and analysis of malicious email subject lines exposed someone impersonating the M/V YI CHUN.  These identified emails, GEO-located in Russia, are attempting to deliver trojan malware to transportation/maritime companies in the UK and Singapore.  Caution should be used if receiving this email.   TR-19-017_MV YI CHUN_Impersonation_01_17_19FINAL.pdf  

Details: Wapack Labs analyzes a weekly collection of malicious emails that utilize various maritime keywords.  The vessel MV (merchant's vessel) YI CHUN was used in the subject line of an email to trick a user.  The YI CHUN is a bulk carrier vessel, with a flag of Hong Kong, CN. 

Subject line: sender was asking for an RFQ (request for quotation) for the YI CHUN, which is a common lure for maritime recipients.

Sender: SEODONG MARITIME CO., LTD.  12, Sinhosandan 4-ro 64beon-gil, Gangseo-gu, Busan, South Korea.  Tel +82 51 971 9754-5; Fax +82 51 971 9756; E-mail sdm@sdmkorea.com.  This company is a ship brokering business.  The email address is: sdm@sdmkorea.com and used the CEO’s name of John Hong.  John Hong is the real CEO of Seadog and the email address is legitimate.  He graduated from the Korea Maritime University, majoring in ship operating systems.  Mr. Hong was a deck officer with the Korea Line Corporation and a shipbroker since 2004. 

The geo-location of the sender IP appears to emanate from the area of Vladivostok, Russia.  This location is not exact and is an approximate location.   

801837698?profile=RESIZE_710xFigure 1. John Hong, CEO Seadong

Targets: Analysis determined four (4) targeted companies, two (2) of which were maritime-related.  HMS Group Shipping Company, Hamburg Germany, and subsidiary in Singapore was targeted (targeting appeared to be directed at the Singapore location).  Ship Serv is a marine and supply procurement company based in London, United Kingdom.  Both these companies, if compromised, could reveal sensitive maritime financial and proprietary information.

Malware detected: Trojan.Java.GenericGB, Trojan:Win32/Azden.A!cl, W32/GenKryptik.CWAA!tr, Win32:Trojan-gen, Backdoor.Win32.Androm.qzms, VCS[Warning]/Email.Agent.1, Fareit-FMY!E61B61A95CA6, W32/Fuerbo

Table 1: List of subject lines, motor vessel, type of malware sent, and sender data that was seen in Wapack Lab’s malicious email collection from January 8, 2019, to January 15, 2019.

 

First Seen

 

Subject Line Used

 

Malware Detections

 

Sending Email

 

Targets

January 9th 2019

REQUEST INFO :: New RFQ for MV YI CHUN 15 (OUR REF.17CF02627)

Invincea - heuristic

ESET-NOD32 - a variant of Win32/Injector.ECSD

TrendMicro - TrojanSpy.Win32.LOKI.THOAOIAI

Fortinet - W32/GenKryptik.CWAA!tr

Microsoft - Trojan:Win32/Azden.A!cl

AVG - Win32:Trojan-gen

ZoneAlarm - HEUR:Trojan.Win32.Generic

John Hong <sdm@sdmkorea.com>

 

No target data reported

January 10th 2019

REQUEST INFO :: New RFQ for MV YI CHUN 15 (OUR REF.17CF02627)

Ikarus - Trojan.Java.GenericGB

Microsoft - Trojan:Win32/Azden.A!cl

Fortinet - W32/GenKryptik.CWAA!tr

AVG - Win32:Trojan-gen

ZoneAlarm - Backdoor.Win32.Androm.qzms

Antiy-AVL - VCS[Warning]/Email.Agent.1

McAfee - Fareit-FMY!E61B61A95CA6

John Hong <sdm@sdmkorea.com>

hmsfeex101.hmsfe.net

hmsfareast.com

nht.ru

shipserv.com

 

801842957?profile=RESIZE_710xFigure 2.  Geo-location of receiving IPs of the malicious emails. Location is not exact and is an approximate location of the receiving IP gathered from Wapack Lab’s malicious email collection.

801845028?profile=RESIZE_710xFigure 3. Geo-location of sender IPs of the malicious emails. Location is not exact and is an approximate location of the sender IP gathered from Wapack Lab’s malicious email collection.

The identified email attempted to deliver malware or phishing links to compromise the two maritime companies.  Users should be aware of the subject lines with MV YI CHUN or from the identified spoofed sender.  Users should never click on or download any attachments or links in suspicious emails.

TR-19-017_MV YI CHUN_Impersonation_01_17_19FINAL.pdf

About Wapack Labs

Wapack Labs, located in New Boston, NH.  We are a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC, and individual corporations by offering expert-level targeted intelligence analysis answering some of the hardest questions in Cyber. Wapack Labs’ engineers, researchers, and analysts design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information, using deep analysis techniques and visualization. Information derived from these tools and techniques serves as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world.  For questions or comments regarding this report, please contact the lab directly by at 1-844-492-7225, or feedback@wapacklabs.com.

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!