Vessel Impersonation 05 28 2019

Weekly 2019 Motor Vessel (MV) & Motor Tanker (MT) Impersonation

Wapack Labs performs weekly queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.  Wapack Labs is providing this weekly list of Motor Vessels in which Wapack Labs directly observed the vessel being impersonated, with associated malicious emails.  The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver them.  Users should never click on or download any attachments or links in suspicious emails.

Significant Vessel Keys Words:

MT, M/T

merchant tanker

MV, M/V

merchant vessel

MY, M/Y

motor yacht

VLCC

very large crude carrier

ULCC

ultra large crude carrier

RV, R/V

research vessel

FPSO

floating production storage & offloading

Figure 1.  Geo-location of receiving IPs of the malicious emails. Location is not exact and is approximate location of the receiving IP gathered from Wapack Lab’s malicious email collection.

Figure 2. Geo-location of sender IPs of the malicious emails. Location is not exact and is approximate location of the sender IP gathered from Wapack Lab’s malicious email collection.

Table 1: List of subject lines, motor vessel, type of malware sent and sender data that was seen in Wapack Lab’s malicious email collection from May 4, 2019 to May 28, 2019.

 

First Seen

 

Subject Line Used

 

Malware Detections

 

Sending Email

 

Targets

May 14th, 2019

MV. GERTRUDIS / SEA NET - AGENT NOMINATION

Kaspersky - HEUR:Trojan-Downloader.Script.Generic

 

ESET-NOD32 - VBS/TrojanDownloader.Agent.RHB,Tencent - Exp.MSOffice.CVE-2017-8570.a

 

ZoneAlarm - HEUR:Trojan-Downloader.Script.Generic

 

BitDefender - VB:Trojan.VBA.Agent.APW

 

GData - VB:Trojan.VBA.Agent.APW,M

SEANET <seanet@seanetshipping.co.kr>

schaar-niemeyer.com.sg

 

May 14th, 2019

MV Albatross // DA Request

Kaspersky - HEUR:Trojan-Downloader.Script.Generic

 

BitDefender - VB:Trojan.VBA.Agent

 

FireEye - VB:Trojan.VBA.Agent.APW

 

GData - VB:Trojan.VBA.Agent.APW

 

ZoneAlarm - HEUR:Exploit

EMO Trans China

<8a7d7@1c1741d900e4.cn>

 

b706c7c7d38.com

May 14th, 2019

URGENT PDA REQUEST FOR M.V KWANGYANG

TrendMicro-HouseCall - TrojanSpy.Win32.LOKI.SMD1.hp,

 

Sophos - Mal/Fareit-Q,Panda - Trj/Genetic.gen,

 

Emsisoft - Gen:Variant.Ulise.36630 (B),

 

Avira - TR/Agent.agqe,

 

TrendMicro - TrojanSpy.Win32.LOKI.SMD1.hp,

 

ZoneAlarm - HEUR:Backdoor.Win32.Remcos.gen

UNIMARIN-OSMAN ASLAN <unimarin@unimarin.com>

smpcindia.com,kraeber.de

 

vanessa.inwise.de

 

unimarin.com

May 15th, 2019

MV EDELWEISS

Rising - Exploit.CVE-2017-11882!1.B31E (CLASSIC)

 

AhnLab-V3 - OLE/Cve-2017-11882.Gen

 

DrWeb - W97M.DownLoader.2938

 

Antiy-AVL - Trojan[Exploit]/OLE.CVE-2017-11882

 

AVG - Win32:ShellCode [Expl]

 

F-Secure - Exploit.EXP/CVE-2017-11882.Gen

Atiq Ahmed Siddiqui

<atiq@scangulf.com>

mi6-p00-ob.smtp.rzone.de

 

mailin.rzone.de

 

schreibweb.info,

 

fannis.com,rodnig.com,smtp.rzone.de

 

smtpin.rzone.de,isp2host.hostnow.ro

May 16th, 2019

M/V BCC CONGO - Port Agency Appointment

TrendMicro-HouseCall - Possible_SMCVE201711882YY1

 

NANO-Antivirus -

Exploit.Rtf.Heuristic-rtf.dinbqn

 

TrendMicro - HEUR_RTFMALFORM

 

BitDefender - Trojan.Agent.DWSX

Gultekin OZTURK <ba19a09a68@ef648ba6a.it>

No reported sender

May 17th, 2019

MT Richmond - Agency appoinment loading operations and PDA Request.

Sophos - Troj/DocDl-TRF

 

Fortinet - VBA/Agent.DQG!tr.dldr,

 

Kaspersky - HEUR:Trojan-Downloader.MSOffice.SLoad.gen,

 

Avast - SNH:Script [Dropper],AVG - SNH:Scri

Empire Chemical Tanker Holdings Inc

<27d1b8e@a4ec798069f.tr>

30718da8.eg

May 21st, 2019

MT PAVINO / Load Port PD/A Crude Benzene + Bunker Request

HEUR:Backdoor.Java.QRat.gen - Kaspersky

 

Trojan.AIPG-2 - Cyren

 

Trojan.GenericKD.41305332 (B) - Emsisoft

 

Java:Malware-gen [Trj] - AVG

 

malware (ai score=89) - MAX

 

Java:Malware-gen [Trj] - Avast

 

HEUR:Backdoor.Java.QRat.gen - ZoneAlarm

DaLian Sky Ocean Int\'l Shipping agency Co.,Ltd

<deloach@bkennedy.gq>

bell.com,igroupny.com

 

smtp1.quincannon.com

 

host227-212-36-89.static.arubacloud.fr

 

bkennedy.gq

May 22nd, 2019

MV SEIYO HONOR // APPOINTMENT

McAfee - Exploit-CVE2017-8570.d

 

Kaspersky - HEUR:Trojan-Downloader.Script.Generic

 

CAT-QuickHeal - Exp.RTF.CVE-2017-8570.A

 

Rising - Exploit.CVE-2017-8570!1.AFC6 (CLASSIC)

 

Microsoft - Trojan:Win32/Sonbokli.A!cl,Ikarus

ops2 <ops2@hengxinshipping.com>

schaar-niemeyer.com.sg

May 23rd, 2019

PROFORMA REQUEST FOR MV MORYAK

TrendMicro - HEUR_RTFMALFORM

 

Kaspersky - HEUR:Trojan-Downloader.Script.Generic

 

Microsoft - Trojan:Win32/Sonbokli.A!cl,

 

CAT-QuickHeal - Exp.RTF.CVE-2017-8570.A

 

NANO-Antivirus - Exploit.Rtf.Heuristic

Alina Kim <b33ae@867ab900b.com>

yamatoamerica.com,

 

ytgwprag02.gw.yamato-grp.com

 

ldc2632.aus.us.siteprotect.com

 e01b233cc3d1cc0e5795fe8fcb.com

About Wapack Labs

Wapack Labs, located in New Boston, NH.  We are a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC, and individual corporations by offering expert level targeted intelligence analysis answering some of the hardest questions in Cyber. Wapack Labs’ engineers, researchers, and analysts design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information, using deep analysis techniques and visualization. Information derived from these tools and techniques serve as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world.  For questions or comments regarding this report, please contact the lab directly by at 1-844-492-7225, or feedback@wapacklabs.com.

You need to be a member of Red Sky Alliance to add comments!