Transportation

Weekly 2018 Motor Vessel (MV) & Motor Tanker (MT) Impersonation

Wapack Labs performs weekly queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.  Wapack Labs is providing this weekly list of Motor Vessels in which Wapack Labs directly observed the vessel being impersonated, with associated malicious emails.  The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver them.  Users should never click on or download any attachments or links in suspicious emails.

Significant Vessel Keys Words:

MT, M/T

merchant tanker

MV, M/V

merchant vessel

MY, M/Y

motor yacht

VLCC

very large crude carrier

ULCC

ultra large crude carrier

RV, R/V

research vessel

FPSO

floating production storage & offloading

 

Figure 1.  Geo-location of receiving IPs of the malicious emails. Location is not exact and is approximate location of the receiving IP gathered from Wapack Lab’s malicious email collection.

Figure 2. Geo-location of sender IPs of the malicious emails. Location is not exact and is approximate location of the sender IP gathered from Wapack Lab’s malicious email collection.

Table 1: List of subject lines, motor vessel, type of malware sent and sender data that was seen in Wapack Lab’s malicious email collection from January 15, 2019 to January 22, 2019.

 

First Seen

 

Subject Line Used

 

Malware Detections

 

Sending Email

 

Targets

January 23rd 2019

MV VICTORIA. disch abt 7500 mt of wheat in bulk (Agency nomination)

Avast - Win32:Malware-gen

 

GData - Trojan.Agent.DNJX

 

MAX - malware (ai score=80)

 

Arcabit - Trojan.Agent.DNJX

 

Backdoor.Win32.Androm.qztg - Kaspersky,

 

NANO-Antivirus -Trojan.Win32.Stealer.fmccvx

 

MicroWorld-eScan -Trojan.Agent.DNJX

 

Capt.Eduard Chepurnoy <chepurnoy@profyshipmanagement.com>

 

insynergyindia.com

 

profyshipmanagement.com

 

gmail.com

 

crcvmail33.nm.naver.com


January 23rd 2019

 


[Ceci est un spam?] MV YIANNIS TO DISCHARGE 50,000MT OF Hot

 

Kaspersky -Backdoor.Win32.Androm.ralq

 

Antiy-AVL -VCS[Warning]/Email.Agent.1

 

DrWeb - Trojan.PWS.Stealer.23680

 

Avast - Win32:Trojan-gen

 

Microsoft -Trojan:Win32/Sonbokli.A!cl

 

ZoneAlarm -Backdoor.Win32.Androm.ralq

Glory Marine Services <account07@qetour.com>

smte.diplomatie.gouv.fr

 

smtp-inet.proxy.diplomatie.gouv.fr

 

qetour.com

 

slu01ex00001.slu01.diplomatie.gouv.fr

 

slu01ex00001.diplomatie.gouv.fr

 

az011mx01c13.diplomatie.gouv.fr

 

diplomatie.gouv.fr

 

gateway.goholidaytour.com

 

az001av01934.diplomatie.gouv.fr

January 23rd 2019

Re: MV. TBN - PDA FOR LOADING ABOUT 55/57, 000 MT COAL IN BULK OUT OF SAMARINDA

 TSPY_HPLOKI.SMBD - TrendMicro

 

Win32.Outbreak - Ikarus

 

Sophos Mal/Fareit-Q

 

AhnLab-V3 –

Win-Trojan/Delphiless.Exp

 

ZoneAlarm -HEUR:Trojan.Win32.Generic

 

Kaspersky -HEUR:Trojan.Win32.Generic

 

OPS - 1 <admin@webserviceupdate.cf>

hmsfareast.com

January 23rd 2019

MV Tianjin Highway - request for quotation for Docking Repair

 

Arcabit - Trojan.Zmutzy.804

 

Ikarus - Win32.SuspectCrc

 

Avast - Win32:Malware-gen

 

Fortinet - W32/Injector.EDAC!tr

 

BitDefender -Trojan.GenericKD.31564343

 

Antiy-AVL - VCS[Warning]/Email.Agent.1

 

Rising - Trojan.Injector!1.B459 (CLASSIC)

KRBS Yanagida Hiroshi <yanagda.hiroshi@krbs.jp>


mail.zelda.com

 

kraeber.de

 

zelda.com

 

vanessa.inwise.de

 

krbs.jp

 

January 24th 2019

MV ASIAN TRIUMPH IMO 9474668

Kaspersky - HEUR:Exploit.MSOffice.Generic

 

TrendMicro - HouseCall - Mal_HPGen-37b

 

Qihoo-360 - virus.exp.21711882.b

 

Antiy-AVL - Trojan[Exploit]/RTF.CVE-2017-11882

Vanbloom Shipping Limited <elainezuo@vanbloomship.com>

cdex01.cidoshipping.com

 

vanbloomship.com

 

jennifer.com

 

torai9.com

 

cdex02.cidoshipping.com

 

spam.cidoship.com

January 24th 2019

Re: MV. TBN - PDA FOR LOADING ABOUT 55/57, 000 MT COAL IN BULK OUT

AVG - Win32:Malware-gen

 

BitDefender - Trojan.GenericKD.40977705

 

Kaspersky - HEUR:Trojan.Win32.Kryptik.gen

 

F-Secure - Trojan.GenericKD.40977705

 

Avast - Win32:Malware-gen

 

MicroWorld-eScan - Trojan.GenericKD.40977705

OPS - 1 <admin@webserviceupdate.cf>

 

we0.webserviceupdate.cf

 

hmsfeex101.hmsfe.net

 

hmsfareast.com

 

yahoo.co.id

 

gmail.com

January 24th 2019

MV ICE RIVER - VOY 201901 / OUR PFDA /

Rising - Exploit.CVE-2017-11882/SLT!1.AEE3 (CLASSIC)

 

TrendMicro - Trojan.W97M.CVE201711882.SMAL02

 

NANO-Antivirus - Exploit.OleNative.CVE-2017-11882.evenbv

 

Ad-Aware - Exploit.CVE-2017-11882.Gen

 

Ikarus - PWS.HTML.Phish

 

Cyren - CVE-2017-11882!Camelot

Maestro Reefers <reefer@maestroshipping.com>

 


comaco-italy.com

 

hmsfeex101.hmsfe.net

 

hmsfareast.com

 

medmaritimebrokers.com

 

maestroshipping.com

 

January 24th 2019

MV WAF PASSION / Port Agency Appointment

 

AVG - Win32:Malware-gen

 

Antiy-AVL - Trojan[Exploit]/RTF.CVE-2017-11882

 

ZoneAlarm - HEUR:Exploit.MSOffice.CVE-2018-0802.gen

 

Ikarus - Win32.Outbreak

 

Avast - Win32:Malware-gen

 

Qihoo-360 - virus.exp.21711882.b

Jisung Shipping Co., Ltd (Shanghai Office)

<mabongshangha@mabong.co.kr>

ngay21.com

 

ykk.co.kr

 

mx1.ykk.co.kr

 

mabong.co.kr

 

fussel.com.cn

 

joseph.com

 

bnkorg01.ykk.co.kr

January 24th 2019

MV \"Alentejo\" TO DISCHARGE 50,000MT OF Hot Briquettted Iron (HBI)

ZoneAlarm - Backdoor.Win32.Androm.rahj

 

AVG - Win32:Malware-gen,Fortinet - W32/Fareit.L!tr.pws

 

GData - Trojan.GenericKD.31549065

 

NANO-Antivirus - Trojan.Win32.Stealer.fminkg

 

Emsisoft - Trojan.GenericKD.31549065 (B)

GLOBAL ALLIANCE SHIPPING <TANKER@GASHlP.COM>

 

gashlp.com

 

leopardscourier.com

 

rcm.it

 

macroclean.it

 

gaship.com

 

zimbra.rcm.it

About Wapack Labs

Wapack Labs, located in New Boston, NH.  We are a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC, and individual corporations by offering expert level targeted intelligence analysis answering some of the hardest questions in Cyber. Wapack Labs’ engineers, researchers, and analysts design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information, using deep analysis techniques and visualization. Information derived from these tools and techniques serve as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world.  For questions or comments regarding this report, please contact the lab directly by at 1-844-492-7225, or feedback@wapacklabs.com.