Transportation

Vessel Impersonation 07 03 2019

Posted by Austin Talbot on July 3, 2019 at 11:19am

3188190541?profile=RESIZE_710xWeekly 2019 Motor Vessel (MV) & Motor Tanker (MT) Impersonation

Wapack Labs performs weekly queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.  Wapack Labs is providing this weekly list of Motor Vessels in which Wapack Labs directly observed the vessel being impersonated, with associated malicious emails.  The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver them.  Users should never click on or download any attachments or links in suspicious emails.

Significant Vessel Keys Words:

MT, M/T

merchant tanker

MV, M/V

merchant vessel

MY, M/Y

motor yacht

VLCC

very large crude carrier

ULCC

ultra large crude carrier

RV, R/V

research vessel

FPSO

floating production storage & offloading

3188196310?profile=RESIZE_710xFigure 1.Geo-location of receiving IPs of the malicious emails. Location is not exact and is approximate location of the receiving IP gathered from Wapack Lab’s malicious email collection.

3188236569?profile=RESIZE_710xFigure 2. Geo-location of sender IPs of the malicious emails. Location is not exact and is approximate location of the sender IP gathered from Wapack Lab’s malicious email collection.

Table 1: List of subject lines, motor vessel, type of malware sent and sender data that was seen in Wapack Lab’s malicious email collection from June 26, 2019 to July 3, 2019.

 

First Seen

 

Subject Line Used

 

Malware Detections

 

Sending Email

 

Targets

June 27th, 2019

MV PANTANAL V.1215-010 - CARGO DOCUMENT

Rising - Trojan.Injector!1.AFE3 (CLOUD)

 

ESET-NOD32 - a variant of Win32/Injector.EGFO

 

Cyren  - W32/Injector.BXEM-1813

 

TrendMicro-HouseCall -TrojanSpy.Win32.LOKI.SMDD.hp  

 

VBA32 - TScope.Trojan.Delf  

 

DrWeb - Trojan.PWS.Stealer.19347

 

AVG - Win32:Trojan-gen

 

PT. GLOBAL BLUE OCEAN <operation@gbo-pct.com>

mos.com

 

findagrave.com

 

rediffmail.com

 

host232-232-177-94.static.arubacloud.fr

 

gmail.com

 

gbo-pct.com

June 27th, 2019

mv CREDO or SUB/ FATEXPRO / 3000 sup pellets

F-Prot - W32/Injector.HZT

 

TrendMicro - TrojanSpy.Win32.LOKI.SMDD.hp

 

Avast - Win32:Trojan-gen

 

Yandex - Trojan.Injector!flpz+c5fUxo

 

Ikarus - Trojan.Inject

 

Panda - Trj/GdSda.A

 

VBA32 - TScope.Trojan.Delf

 

ZoneAlarm - HEUR:Backdoor.Win32.Remcos.gen

CS Medan <cs.mdn@gianttransporter.com>

 

rediffmail.com

 

kadriluminaire.com

 

gianttransporter.com

 

ggs-dz.com

 

June 28th, 2019

M/T NEW STELLA V.1810 AT ONSAN [MOVEMENT IV]

Microsoft - Trojan:Win32/Wacatac.B!ml

 

ESET-NOD32 - a variant of Win32/GenKryptik.DLWB

 

McAfee - Fareit-FPJ!1A8CAAFF1BF3

 

MAX - malware (ai score=86)

 

FireEye - Exploit.SpamMalware-RAR.Gen

 

Fortinet - W32/Injector.EGHO!tr

 

SEWHA Shipping <3d3a7@b053a448523baee4.kr>

 

No reported targets

 

June 28th, 2019

MV AL HANI PDA LINER OUT CHARGES - AGENT APPOINTMENT LOADING

FireEye - Exploit.SpamMalware-RAR.Gen

 

Emsisoft - Exploit.SpamMalware-RAR.Gen (B)

 

GData - Exploit.SpamMalware-RAR.Gen

 

ESET-NOD32 - a variant of Win32/GenKryptik.DLWB

 

BitDefender - Exploit.SpamMalware-RAR.Gen

 

Arcabit - Exploit.SpamMalware-RAR.Gen

 

Antony Ahmed <3c40d@766e94605b8.com>

 

No reported targets

June 28th, 2019

MV SANTA MARGHERITA PORT AGENCY APPOINTMENT

McAfee - Fareit-FPJ!1A8CAAFF1BF3

 

Arcabit - Exploit.SpamMalware-RAR.Gen

 

ESET-NOD32 - a variant of Win32/Injector.EGHX

 

Fortinet - W32/Injector.EGHO!tr

 

Rising - Trojan.GenKryptik!8.AA55 (CLOUD)

 

FireEye - Exploit.SpamMalware-RAR.Gen

 

\"Opt\" <9ed08@146bb2c4904.jp>

 

No reported targets

June 28th, 2019

Port agency appointment for M/V OCEANIA

Fortinet - W32/Injector.EGHO!tr

 

ESET-NOD32 - a variant of Win32/Injector.EGHX

 

BitDefender - Exploit.SpamMalware-RAR.Gen

 

Rising - Trojan.Injector!1.B973 (CLASSIC)

 

FireEye - Exploit.SpamMalware-RAR.Gen

GData - Exploit.SpamMalware-RAR.Gen

Alvin Yew <caf9@50af87f6f74103d5c9.com>

No reported targets

June 28th, 2019

MV DA TAI V32 PDA FORMAT &  AGENCY APPOINTMENT ETA 10-11JULY

MAX - malware (ai score=87)

 

MicroWorld-eScan - VB:Trojan.Agent.DZDP

 

McAfee-GW-Edition - Exploit-CVE2017-8570.d

 

DrWeb - Exploit.Siggen.23997

 

CAT-QuickHeal - Exp.RTF.CVE-2017-8570.A

 

GData - VB:Trojan.Agent.DZDP (2x)

Cosco Shipping Co <cosco@wilhelmsen.com>

schaar-niemeyer.com.sg

 

hmsfareast.com

 

About Wapack Labs

Wapack Labs is located in New Boston, NH.  We are a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.

Tags: vessel impersonation, vessel impersonation 07 03 2019, mv pantanal, mv credo, mt new stella, mv al hani, mv santa margherita, mv oceania, mv da tai
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!