Vessel Impersonation 03 12 2019

Wapack Labs performs weekly queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.  Wapack Labs is providing this weekly list of Motor Vessels in which Wapack Labs directly observed the vessel being impersonated, with associated malicious emails.  The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver them.  Users should never click on or download any attachments or links in suspicious emails.

Significant Vessel Keys Words:

MT, M/T

merchant tanker

MV, M/V

merchant vessel

MY, M/Y

motor yacht

VLCC

very large crude carrier

ULCC

ultra large crude carrier

RV, R/V

research vessel

FPSO

floating production storage & offloading

Figure 1.  Geo-location of receiving IPs of the malicious emails. Location is not exact and is approximate location of the receiving IP gathered from Wapack Lab’s malicious email collection.

Figure 2. Geo-location of sender IPs of the malicious emails. Location is not exact and is approximate location of the sender IP gathered from Wapack Lab’s malicious email collection.

Table 1 below: List of subject lines, motor vessel, type of malware sent and sender data that was seen in Wapack Lab’s malicious email collection from March 5, 2019 to March 12, 2019.

 

First Seen

 

Subject Line Used

 

Malware Detections

 

Sending Email

 

Targets

March 6th 2019

VSL: MV Glory Sea

Ad-Aware - Trojan.GenericKD.41071394

 Avast - Win32:Malware-gen

 Arcabit - Trojan.Generic.D272B322

 AVG - Win32:Malware-gen

 Qihoo-360 - susp.rtf.objupdate.gen

 Kaspersky - HEUR:Exploit.MSOffice.Generic

 Avira - W97M/Abnormal.vvvng

 

PT INTER ORIENT LOGISTICS <bali.sales2@eml-net.com>

hk2apc01ft003.eop-apc01.prod.protection.outlook.com

 sg2pr06ca0165.apcprd06.prod.outlook.com

 hk2apc01ft003.mail.protection.outlook.com

 apc01-hk2-obe.outbound.protection.outlook.com

 sg2apc01ft041.eop-apc01.prod.protection.outlook.com

 sg2apc01ft024.mail.pro

March 6th 2019

Request for Quotation-MV DAE WON

 

Ikarus - Trojan-Downloader.VBA.Agent

 ESET-NOD32 - VBA/TrojanDownloader.Agent.MYV

 Fortinet - VBA/Agent.DPFP!tr.dldr

 GData - VB:Trojan.Agent.DQUZ

 Avira - TR/Dldr.Script.jdntx

 Emsisoft - VB:Trojan.Agent.DQUZ (B)

 Ad-Aware - VB:Trojan.Agent.DQUZ

Prima Marine Public Company Limited <shipping@primamarine.co.th>

primamarine.co.th

 spin.electroputere.ro

 electroputere.ro

 zenith.infortelecomhosting.com

March 6th 2019

MV OCEAN WAVE 9 - BUNKER INVOICE

 

Kaspersky - HEUR:Exploit.MSOffice.Generic

 Avira - W97M/Abnormal.olerf

 Rising - Trojan.Kryptik!8.8/N3#88% (RDM+:cmRtazqprUoNkVIfCVpmhel3e3ZQ)

 MicroWorld-eScan - Exploit.CVE-2018-0802.Gen

 TrendMicro-HouseCall - TROJ_FRS.0NC106C619

 

G-WORLDLINE <kwl@G-worldline.com>

 

g-worldline.com

 barsyl.in

 airlive.com

 

March 7th 2019

Fwd: MV HTK NEPTUNE

 

McAfee - Exploit-CVE2017-11882.aj

 F-Secure -Malware.W97M/Abnormal.dkaaw

 Kaspersky -HEUR:Exploit.MSOffice.Generic

 Sophos - Troj/RtfExp-EV

 GData - Exploit.CVE-2018-0802.Gen

 DrWeb - Trojan.PWS.Stealer.25784

 Avira - W97M/Abnormal.dkaaw

Missiouriov Maxim <MMissiouriov@toyotatt.ru>

bc-exch-cas1.int.businesscar.ru

 toyotatt.ru

 cosco-ogs.com

 business-car.ru

 

March 7th 2019

Fwd: MV HTK NEPTUNE

malware (ai score=88) - MAX,

 HEUR:Exploit.MSOffice.Generic - Kaspersky,

 Exploit.CVE-2018-0802.Gen - MicroWorld-eScan,

 Mal_HPGen-37b - TrendMicro-HouseCall,

 a variant of DOC/Abnormal.H - ESET-NOD32,

 Exploit.CVE-2018-0802.Gen - GData,

 RTF/Agent - AhnLab-V3,

Postverteiler <pm@hoffmanneitle.com>

hoffmanneitle.com

 

March 7th 2019

MT OCEAN STAR ISO 8217 2005

 

BitDefender -Gen:Variant.Razy.474858

 Fortinet - W32/GenKryptik.DBTA!tr

MAX - malware (ai score=84)

 Invincea - heuristic

 DrWeb - Trojan.PWS.Stealer.23680

 VBA32 - BScope.Trojan.VBKryjetor

 AegisLab -Trojan.Win32.Generic.4!c

George, America ship.,co <george.ogn@amshipco.com>

 

About Wapack Labs

Wapack Labs, located in New Boston, NH, is a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC, and individual corporations.  For questions or comments regarding this report, please contact the lab directly by at 1-844-492-7225, or feedback@wapacklabs.com

You need to be a member of Red Sky Alliance to add comments!