Weekly 2019 Motor Vessel (MV) & Motor Tanker (MT) Impersonation
Wapack Labs performs weekly queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments. Wapack Labs is providing this weekly list of Motor Vessels in which Wapack Labs directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver them. Users should never click on or download any attachments or links in suspicious emails.
Significant Vessel Keys Words:
MT, M/T | merchant tanker |
MV, M/V | merchant vessel |
MY, M/Y | motor yacht |
VLCC | very large crude carrier |
ULCC | ultra large crude carrier |
RV, R/V | research vessel |
FPSO | floating production storage & offloading |
Figure 1. Geo-location of receiving IPs of the malicious emails. Location is not exact and is approximate location of the receiving IP gathered from Wapack Lab’s malicious email collection.
Figure 2. Geo-location of sender IPs of the malicious emails. Location is not exact and is approximate location of the sender IP gathered from Wapack Lab’s malicious email collection.
Table 1: List of subject lines, motor vessel, type of malware sent and sender data that was seen in Wapack Lab’s malicious email collection from May 4, 2019 to May 28, 2019.
First Seen |
Subject Line Used |
Malware Detections |
Sending Email |
Targets |
May 14th, 2019 | MV. GERTRUDIS / SEA NET - AGENT NOMINATION | Kaspersky - HEUR:Trojan-Downloader.Script.Generic
ESET-NOD32 - VBS/TrojanDownloader.Agent.RHB,Tencent - Exp.MSOffice.CVE-2017-8570.a
ZoneAlarm - HEUR:Trojan-Downloader.Script.Generic
BitDefender - VB:Trojan.VBA.Agent.APW
GData - VB:Trojan.VBA.Agent.APW,M | SEANET <seanet@seanetshipping.co.kr> | schaar-niemeyer.com.sg
|
May 14th, 2019 | MV Albatross // DA Request | Kaspersky - HEUR:Trojan-Downloader.Script.Generic
BitDefender - VB:Trojan.VBA.Agent
FireEye - VB:Trojan.VBA.Agent.APW
GData - VB:Trojan.VBA.Agent.APW
ZoneAlarm - HEUR:Exploit | EMO Trans China <8a7d7@1c1741d900e4.cn>
| b706c7c7d38.com |
May 14th, 2019 | URGENT PDA REQUEST FOR M.V KWANGYANG | TrendMicro-HouseCall - TrojanSpy.Win32.LOKI.SMD1.hp,
Sophos - Mal/Fareit-Q,Panda - Trj/Genetic.gen,
Emsisoft - Gen:Variant.Ulise.36630 (B),
Avira - TR/Agent.agqe,
TrendMicro - TrojanSpy.Win32.LOKI.SMD1.hp,
ZoneAlarm - HEUR:Backdoor.Win32.Remcos.gen | UNIMARIN-OSMAN ASLAN <unimarin@unimarin.com> | smpcindia.com,kraeber.de
vanessa.inwise.de
unimarin.com |
May 15th, 2019 | MV EDELWEISS | Rising - Exploit.CVE-2017-11882!1.B31E (CLASSIC)
AhnLab-V3 - OLE/Cve-2017-11882.Gen
DrWeb - W97M.DownLoader.2938
Antiy-AVL - Trojan[Exploit]/OLE.CVE-2017-11882
AVG - Win32:ShellCode [Expl]
F-Secure - Exploit.EXP/CVE-2017-11882.Gen | Atiq Ahmed Siddiqui <atiq@scangulf.com> | mi6-p00-ob.smtp.rzone.de
mailin.rzone.de
schreibweb.info,
fannis.com,rodnig.com,smtp.rzone.de
smtpin.rzone.de,isp2host.hostnow.ro |
May 16th, 2019 | M/V BCC CONGO - Port Agency Appointment | TrendMicro-HouseCall - Possible_SMCVE201711882YY1
NANO-Antivirus - Exploit.Rtf.Heuristic-rtf.dinbqn
TrendMicro - HEUR_RTFMALFORM
BitDefender - Trojan.Agent.DWSX | Gultekin OZTURK <ba19a09a68@ef648ba6a.it> | No reported sender |
May 17th, 2019 | MT Richmond - Agency appoinment loading operations and PDA Request. | Sophos - Troj/DocDl-TRF
Fortinet - VBA/Agent.DQG!tr.dldr,
Kaspersky - HEUR:Trojan-Downloader.MSOffice.SLoad.gen,
Avast - SNH:Script [Dropper],AVG - SNH:Scri | Empire Chemical Tanker Holdings Inc <27d1b8e@a4ec798069f.tr> | 30718da8.eg |
May 21st, 2019 | MT PAVINO / Load Port PD/A Crude Benzene + Bunker Request | HEUR:Backdoor.Java.QRat.gen - Kaspersky
Trojan.AIPG-2 - Cyren
Trojan.GenericKD.41305332 (B) - Emsisoft
Java:Malware-gen [Trj] - AVG
malware (ai score=89) - MAX
Java:Malware-gen [Trj] - Avast
HEUR:Backdoor.Java.QRat.gen - ZoneAlarm | DaLian Sky Ocean Int\'l Shipping agency Co.,Ltd <deloach@bkennedy.gq> | bell.com,igroupny.com
smtp1.quincannon.com
host227-212-36-89.static.arubacloud.fr
bkennedy.gq |
May 22nd, 2019 | MV SEIYO HONOR // APPOINTMENT | McAfee - Exploit-CVE2017-8570.d
Kaspersky - HEUR:Trojan-Downloader.Script.Generic
CAT-QuickHeal - Exp.RTF.CVE-2017-8570.A
Rising - Exploit.CVE-2017-8570!1.AFC6 (CLASSIC)
Microsoft - Trojan:Win32/Sonbokli.A!cl,Ikarus | ops2 <ops2@hengxinshipping.com> | schaar-niemeyer.com.sg |
May 23rd, 2019 | PROFORMA REQUEST FOR MV MORYAK | TrendMicro - HEUR_RTFMALFORM
Kaspersky - HEUR:Trojan-Downloader.Script.Generic
Microsoft - Trojan:Win32/Sonbokli.A!cl,
CAT-QuickHeal - Exp.RTF.CVE-2017-8570.A
NANO-Antivirus - Exploit.Rtf.Heuristic | Alina Kim <b33ae@867ab900b.com> | yamatoamerica.com,
ytgwprag02.gw.yamato-grp.com
ldc2632.aus.us.siteprotect.com e01b233cc3d1cc0e5795fe8fcb.com |
About Wapack Labs
Wapack Labs, located in New Boston, NH. We are a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC, and individual corporations by offering expert level targeted intelligence analysis answering some of the hardest questions in Cyber. Wapack Labs’ engineers, researchers, and analysts design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information, using deep analysis techniques and visualization. Information derived from these tools and techniques serve as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world. For questions or comments regarding this report, please contact the lab directly by at 1-844-492-7225, or feedback@wapacklabs.com.
Comments