Vessel Impersonation 09 07 2019

3545460281?profile=RESIZE_710xWeekly 2019 Motor Vessel (MV) & Motor Tanker (MT) Impersonation

Wapack Labs performs weekly queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.  Wapack Labs is providing this weekly list of Motor Vessels in which Wapack Labs directly observed the vessel being impersonated, with associated malicious emails.  The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver them.  Users should never click on or download any attachments or links in suspicious emails.

Significant Vessel Keys Words:

MT, M/T

merchant tanker

MV, M/V

merchant vessel

MY, M/Y

motor yacht

VLCC

very large crude carrier

ULCC

ultra large crude carrier

RV, R/V

research vessel

FPSO

floating production storage & offloading

3545454415?profile=RESIZE_710xFigure 1.Geo-location of receiving IPs of the malicious emails. Location is not exact and is approximate location of the receiving IP gathered from Wapack Lab’s malicious email collection.

3545454891?profile=RESIZE_710xFigure 2. Geo-location of sender IPs of the malicious emails. Location is not exact and is approximate location of the sender IP gathered from Wapack Lab’s malicious email collection.

Table 1: List of subject lines, motor vessel, type of malware sent and sender data that was seen in Wapack Lab’s malicious email collection from August 18, 2019 to September 7, 2019.

 

First Seen

 

Subject Line Used

 

Malware Detections

 

Sending Email

 

Targets

August 19th, 2019

RE: PRE-ARRIVAL DOCS AT YOSU(MT. BOW ASIA)

Kaspersky - HEUR:Exploit.MSOffice.Generic

 

Qihoo-360 - heur.rtf.obfuscated.1

 

MicroWorldeScan - Exploit.CVE-2017-11882.Y

 

CAT-QuickHeal - Exp.RTF.Obfus.Gen

 

TrendMicro -Trojan.W97M.CVE201711882.SM6

 

Ikarus - Exploit.CVE-2017-11882

 

Bow Asia <Bow.Asia@thomefleet.net>

spin.electroputere.ro

 

electroputere.ro

 

thomefleet.net

August 20th, 2019

FW: MV. CMA CGM Verdi V-250E DT:19/08/2019.

BitDefender - Trojan.SpamMalware-RAR.Gen

 

Arcabit - Trojan.SpamMalware-RAR.Gen  

 

McAfee - Artemis!1928B73AF9CC

 

FireEye - Trojan.SpamMalware-RAR.Gen

 

Cyren - W32/Autoit.G.gen!Eldorado

 

"Ms.Julie Tsukahara-LOGISTICS MATES CORP."

<info@esanat.com>

localhost.redcondor.net

 

redcondor.net

 

swva.net

 

sys.redcondor.net

 

sys.redcondor.com

 

esanat.com

August 20th, 2019

Urgent quotation needed /M.T. Navion Britannia - PDA

McAfee - Suspect-DH!8C5B06028463

 

Sophos - Mal/Fareit-V

 

Rising - Trojan.Injector!1.AFE3

 

TrendMicro-HouseCall - TrojanSpy.Win32.LOKI.SMAD.hp

 

Microsoft - Trojan:Win32/Wacatac.B!ml

 

BitDefender - Trojan.Zmutzy.802

VELESTO DRILLING SDN BHD <caf9@448cb87.com>

No reported targets

August 20th, 2019

BUNKER ESTIMATE - MV SINGMAR  20th AUG.2019

VBA32 - CIL.StupidCryptor.Heur -

 

Ikarus - Win32.Outbreak

 

MicroWorld-eScan -Trojan.Zmutzy.802

 

BitDefender - Trojan.Zmutzy.802

 

FireEye - Trojan.Zmutzy.802

 

MAX - malware (ai score=89)

 

Microsoft - Trojan:Win32/Wacatac.B!ml

Singmar Marine and Offshore Pte Ltd <technical@singmarmarine.com>

spin.electroputere.ro

 

electroputere.ro

 

megabytetravels.com

 

singmarmarine.com

August 20th, 2019

mv ANL GIPPSLAND epDA- vessel - AGENCY APPOINTMENT

Cyren -

W32/Heuristic-200!Eldorado

 

MicroWorld-eScan - Trojan.Zmutzy.804

 

F-Secure -

Heuristic.HEUR/AGEN.1022332

 

GData –

Trojan.SpamMalware-ZIP.Gen

 

Sophos - Mal/Generic-S

 

Arcabit  - Trojan.Zmutzy.804

 

No reported sender

webmail.sunraywall.com

 

panasiancorp.net

 

natori.com

 

smtp426.redcondor.net

 

vps8327.youcloud.hk

 

vps8327.webhosthk.net

 

socmail.redcondor.net

August 20th, 2019

VSL: MV Huanghai Pioneer, ORDER: TK-812B

NANO-Antivirus - Trojan.Win32.Androm.fvdkaa

 

DrWeb - Trojan.PWS.Banker1.34264

 

Avira - Trojan.VB.Crypt

 

MicroWorld-eScan -

Trojan.GenericKD.41536489

 

Sophos - Troj/VB-KJM

 

Emsisoft - Trojan.GenericKD.41536489 (B)

 

Hyuk Kim <operation@mabong.co.kr>

cable.net.co

 

jame.com

 

mabong.co.kr

August 26th, 2019

Mt. Yue You 901 V1911// SIME// CP 28TH AUG 2019 // Loading 10,000mt

Emsisoft - Trojan.GenericKD.32306233 (B)

 

BitDefender - Trojan.GenericKD.32306233

 

Arcabit - Trojan.Generic.D1ECF439

 

Kaspersky - HEUR:Backdoor.Win32.Androm.gen

 

Ms.Zhu Qin

<operation@waibert.com>

mail1.tandler.de

 

royalsingi.com

 

secure.myportalhost.com

 

waibert.com

August 26th, 2019

RE: PRE-ARRIVAL DOCS AT YOSU(MT. BOW ASIA)

Cyren –

CVE-2017-11882.E.gen!Camelot

 

Ad-Aware - Exploit.CVE-2017-11882.Y

 

DrWeb - Exploit.ShellCode.69

 

Avast - Other:Malware-gen [Trj]

 

NANO-Antivirus -Exploit.Ole2.ShellCode.fpfqba -

 

TrendMicro -

Trojan.W97M.CVE201711882.SM6

 

Bow Asia <Bow.Asia@thomefleet.net>

spin.electroputere.ro

 

thomefleet.net

 

electroputere.ro

August 27th, 2019

Quotation Request // MV Southern Sunset V.100392-Home

GData - Trojan.SpamMalware-RAR.Gen

 

Arcabit - Trojan.SpamMalware-RAR.Gen

 

BitDefender - Trojan.SpamMalware-RAR.Gen

 

Rising - Trojan.Injector!1.B459 (CLASSIC)

 

FireEye - Trojan.SpamMalware-RAR.Gen

ba19a09a68@8aaafd712c3abb9d.jp

No reported targets

August 29th, 2019

Port agency appointment for M/V COSCO

GData - Trojan.GenericKD.41650797  

 

FireEye - Trojan.GenericKD.41650797

 

BitDefender - Trojan.GenericKD.41650797

 

AVG - Win32:Trojan-gen

 

Avast - Win32:Trojan-gen

 

Microsoft - Trojan:Win32/Fuerboos.C!cl

 

Fortinet - W32/Injector.EHKV!tr  

 

Sophos - Mal/Generic-S

 

SMTECH Ship Management Co., Ltd

<9daaa@9f2b4579b.com>

No reported targets

August 29th, 2019

MV Thalassini Voy. 09 // DA Request

Microsoft - Trojan:Win32/Wacatac.B!ml

 

BitDefender - Gen:Heur.PonyStealer.dn2@gm8qLSci

 

FireEye - Gen:Heur.PonyStealer.dn2@gm8qLSci

 

Operation <caf9@062d2f8402b314d.net>

No reported targets

 

About Wapack Labs

Wapack Labs is located in New Boston, NH.  We are a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.

You need to be a member of Red Sky Alliance to add comments!