Weekly 2019 Motor Vessel (MV) & Motor Tanker (MT) Impersonation
Wapack Labs performs weekly queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments. Wapack Labs is providing this weekly list of Motor Vessels in which Wapack Labs directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver them. Users should never click on or download any attachments or links in suspicious emails.
Significant Vessel Keys Words:
MT, M/T | merchant tanker |
MV, M/V | merchant vessel |
MY, M/Y | motor yacht |
VLCC | very large crude carrier |
ULCC | ultra large crude carrier |
RV, R/V | research vessel |
FPSO | floating production storage & offloading |
Figure 1.Geo-location of receiving IPs of the malicious emails. Location is not exact and is approximate location of the receiving IP gathered from Wapack Lab’s malicious email collection.
Figure 2. Geo-location of sender IPs of the malicious emails. Location is not exact and is approximate location of the sender IP gathered from Wapack Lab’s malicious email collection.
Table 1: List of subject lines, motor vessel, type of malware sent and sender data that was seen in Wapack Lab’s malicious email collection from August 5, 2019 to August 18, 2019.
First Seen |
Subject Line Used |
Malware Detections |
Sending Email |
Targets |
August 5th 2019 | RE: M.V. GLORY WISDOM discharging about 1,000mt of H-BEAM in Batam, | Ikarus - Trojan-Ransom.GandCrab
VBA32 - BScope.TrojanRansom.Crusis
McAfee - Artemis!A3BD4117C10C
F-Secure - Trojan.TR/AD.Fareit.eaibe
Avira - TR/AD.Fareit.eaibe | Glory Navigation Co., Ltd. <sinclair@drylnewby.ga> | gloryship.com
huter.com
drylnewby.ga
|
August 6th 2019 | Spare parts Inquiry for MV American Bulker | Arcabit - Exploit.CVE-2017-11882.Gen,
Emsisoft - Exploit.CVE-2017-11882.Gen (B),
BitDefender - Exploit.CVE-2017-11882.Gen,
MAX - malware (ai score=84),
Kaspersky - HEUR:Exploit.MSOffice.Generic,
ZoneAlarm - HEUR:Exploit.MSOffice.Generic, | C/E Ranel G. Mendoza <9ed08@425426c224fe0c.ph> | 049b.com
425426c224fe0c.ph
|
August 8th 2019 | MV. TRITON SWAN - AGENCY APPOINTMENT LETTER | DrWeb - JS.DownLoader.1225
Sophos - Mal/DrodZp-A
NANO-Antivirus - Trojan.Script.Heuristic | Operation <7cd421d@b6d8485888f3.net> | 30718da8.eg |
August 8th 2019 | MV OCEAN PASSION / Port Agency Appointment | Ikarus,- Trojan.Crypter
Microsoft - Trojan:Script/Oneeva.A!ml
McAfee - Artemis!2DC85E54AABC
Sophos - Mal/RarMal-C
Rising - Trojan.Generic | Jisung Shipping Co., Ltd <bkc@fussel.com.cn> | danielle.gq
mabong.co.kr
poin.com |
August 11th 2019 | MV DA TONG YUN VOY 40 AGENT APPOINTMEN | Cyren - CVE-2017-11882.C.gen!Camelot
Emsisoft - Exploit.CVE-2017-11882.Gen (B)
TrendMicro-HouseCall - TROJ_CVE20171182.SM
Zoner - Probably W97NativeOnly,Avira - EXP/CVE-2017-11882.Gen
F-Secure - Exploit.EXP/CVE-2017-11882.Gen
Baidu - Win32.Exploit.CVE-20 | Liu Huisheng(COSCO SHIPPING CARRIER LTD) <ab735@5d4e13.com> | 30718da8.eg |
August 12th 2019 | MV. TRITON SWAN - AGENCY APPOINTMENT LETTER | DrWeb - JS.DownLoader.1225
Cyren - Trojan.BMJI-8
ESET-NOD32 - JS/TrojanDownloader.Agent.TTC
ZoneAlarm - HEUR:Trojan.Script.Alien.gen
Antivirus - Trojan.Script.Heuristic-js.iacgm - NANO
McAfee - Artemis!30078163224E | Operation <7cd421d@b6d8485888f3.net> | b6d8485888f3.net
963212c1fc.com |
About Wapack Labs
Wapack Labs is located in New Boston, NH. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
Comments