Vessel Impersonation 07 26 2019

3386844720?profile=RESIZE_710xWeekly 2019 Motor Vessel (MV) & Motor Tanker (MT) Impersonation

Wapack Labs performs weekly queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.  Wapack Labs is providing this weekly list of Motor Vessels in which Wapack Labs directly observed the vessel being impersonated, with associated malicious emails.  The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver them.  Users should never click on or download any attachments or links in suspicious emails.

Significant Vessel Keys Words:

MT, M/T

merchant tanker

MV, M/V

merchant vessel

MY, M/Y

motor yacht

VLCC

very large crude carrier

ULCC

ultra large crude carrier

RV, R/V

research vessel

FPSO

floating production storage & offloading

3386838036?profile=RESIZE_710xFigure 1.Geo-location of receiving IPs of the malicious emails. Location is not exact and is approximate location of the receiving IP gathered from Wapack Lab’s malicious email collection.

3386834242?profile=RESIZE_710xFigure 2. Geo-location of sender IPs of the malicious emails. Location is not exact and is approximate location of the sender IP gathered from Wapack Lab’s malicious email collection.

Table 1: List of subject lines, motor vessel, type of malware sent and sender data that was seen in Wapack Lab’s malicious email collection from July 17, 2019 to July 26, 2019.

 

First Seen

 

Subject Line Used

 

Malware Detections

 

Sending Email

 

Targets

July 18th 2019

RE: MV BOW TRIDENT - BUNKER ORDER - BTRT19-157

Fortinet - MSIL/Kryptik.SFX!tr

 

ESET-NOD32 - a variant of MSIL/Kryptik.SFX

 

GData - Exploit.SpamMalware-ZIP.Gen

 

F-Prot - W32/Trojan.SW.gen!Eldorado

 

McAfee - Artemis!EE2A5EFFB3B5

 

Microsoft - Trojan:Win32/Wacatac.B!ml

 

MicroWorld-eScan - Trojan.Zmutzy.802

 

Odfjell Management AS <purch.bow.trident@odfjell.com>

hmsfeex101.hmsfe.net

 

hmsfareast.com

 

odfjell.com

 

altub-dz.com

July 19th 2019

M.V. MURPHYLEE CTM REQUEST ETA 24th JULY. 2018

GData - Gen:Trojan.Heur.VP2.hn2@aGq7Naki

 

Panda - Trj/GdSda.A

 

Emsisoft - Gen:Trojan.Heur.VP2.hn2@aGq7Naki (B)  

 

BitDefender - Gen:Trojan.Heur.VP2.hn2@aGq7Naki

 

Sophos - Mal/FareitVB-N

 

Rising - Trojan.Injector!1.B459 (CLASSIC)

Cyrus Chan

<51@bb81e55.hk>

No reported targets

July 19th 2019

MV TBN CALL PORT FOR LOADING COAL

Avast - Win32:CrypterX-gen [Trj]

 

Sophos - Mal/FareitVB-N

 

MicroWorld-eScan - Gen:Trojan.Heur.VP2.hn2@aGq7Naki

 

Rising - Trojan.Injector!1.B459 (CLASSIC)

 

Arcabit - Trojan.Heur.VP2.E82EB0

 

AVG - Win32:CrypterX-gen [Trj]

 

McAfee - Fareit-FPN!CEC7D9D9CD5C

 

4c12@8b1a8c484586.kr <4c12@8b1a8c484586.kr>

 

No reported targets

July 19th 2019

MT Richmond - Agency appoinment loading operations and PDA Request

MicroWorld-eScan - Gen:Trojan.Heur.VP2.hn2@aGq7Naki

 

Arcabit - Trojan.Heur.VP2.E82EB0

 

Emsisoft - Gen:Trojan.Heur.VP2.hn2@aGq7Naki (B)

 

BitDefender - Gen:Trojan.Heur.VP2.hn2@aGq7Naki

 

Sophos - Mal/FareitVB-N

 

Raddatz, Marc <37875f719e78@8072b78c79.com>

 

No reported targets

About Wapack Labs

Wapack Labs is located in New Boston, NH.  We are a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.

You need to be a member of Red Sky Alliance to add comments!