Weekly 2019 Motor Vessel (MV) & Motor Tanker (MT) Impersonation
Wapack Labs performs weekly queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments. Wapack Labs is providing this weekly list of Motor Vessels in which Wapack Labs directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver them. Users should never click on or download any attachments or links in suspicious emails.
Significant Vessel Keys Words:
MT, M/T | merchant tanker |
MV, M/V | merchant vessel |
MY, M/Y | motor yacht |
VLCC | very large crude carrier |
ULCC | ultra large crude carrier |
RV, R/V | research vessel |
FPSO | floating production storage & offloading |
Figure 1.Geo-location of receiving IPs of the malicious emails. Location is not exact and is approximate location of the receiving IP gathered from Wapack Lab’s malicious email collection.
Figure 2. Geo-location of sender IPs of the malicious emails. Location is not exact and is approximate location of the sender IP gathered from Wapack Lab’s malicious email collection.
Table 1: List of subject lines, motor vessel, type of malware sent and sender data that was seen in Wapack Lab’s malicious email collection from August 18, 2019 to September 7, 2019.
First Seen |
Subject Line Used |
Malware Detections |
Sending Email |
Targets |
August 19th, 2019 | RE: PRE-ARRIVAL DOCS AT YOSU(MT. BOW ASIA) | Kaspersky - HEUR:Exploit.MSOffice.Generic
Qihoo-360 - heur.rtf.obfuscated.1
MicroWorldeScan - Exploit.CVE-2017-11882.Y
CAT-QuickHeal - Exp.RTF.Obfus.Gen
TrendMicro -Trojan.W97M.CVE201711882.SM6
Ikarus - Exploit.CVE-2017-11882
| Bow Asia <Bow.Asia@thomefleet.net> | spin.electroputere.ro
electroputere.ro
thomefleet.net |
August 20th, 2019 | FW: MV. CMA CGM Verdi V-250E DT:19/08/2019. | BitDefender - Trojan.SpamMalware-RAR.Gen
Arcabit - Trojan.SpamMalware-RAR.Gen
McAfee - Artemis!1928B73AF9CC
FireEye - Trojan.SpamMalware-RAR.Gen
Cyren - W32/Autoit.G.gen!Eldorado
| "Ms.Julie Tsukahara-LOGISTICS MATES CORP." <info@esanat.com> | localhost.redcondor.net
redcondor.net
swva.net
sys.redcondor.net
sys.redcondor.com
esanat.com |
August 20th, 2019 | Urgent quotation needed /M.T. Navion Britannia - PDA | McAfee - Suspect-DH!8C5B06028463
Sophos - Mal/Fareit-V
Rising - Trojan.Injector!1.AFE3
TrendMicro-HouseCall - TrojanSpy.Win32.LOKI.SMAD.hp
Microsoft - Trojan:Win32/Wacatac.B!ml
BitDefender - Trojan.Zmutzy.802 | VELESTO DRILLING SDN BHD <caf9@448cb87.com> | No reported targets |
August 20th, 2019 | BUNKER ESTIMATE - MV SINGMAR 20th AUG.2019 | VBA32 - CIL.StupidCryptor.Heur -
Ikarus - Win32.Outbreak
MicroWorld-eScan -Trojan.Zmutzy.802
BitDefender - Trojan.Zmutzy.802
FireEye - Trojan.Zmutzy.802
MAX - malware (ai score=89)
Microsoft - Trojan:Win32/Wacatac.B!ml | Singmar Marine and Offshore Pte Ltd <technical@singmarmarine.com> | spin.electroputere.ro
electroputere.ro
megabytetravels.com
singmarmarine.com |
August 20th, 2019 | mv ANL GIPPSLAND epDA- vessel - AGENCY APPOINTMENT | Cyren - W32/Heuristic-200!Eldorado
MicroWorld-eScan - Trojan.Zmutzy.804
F-Secure - Heuristic.HEUR/AGEN.1022332
GData – Trojan.SpamMalware-ZIP.Gen
Sophos - Mal/Generic-S
Arcabit - Trojan.Zmutzy.804
| No reported sender | webmail.sunraywall.com
panasiancorp.net
natori.com
smtp426.redcondor.net
vps8327.youcloud.hk
vps8327.webhosthk.net
socmail.redcondor.net |
August 20th, 2019 | VSL: MV Huanghai Pioneer, ORDER: TK-812B | NANO-Antivirus - Trojan.Win32.Androm.fvdkaa
DrWeb - Trojan.PWS.Banker1.34264
Avira - Trojan.VB.Crypt
MicroWorld-eScan - Trojan.GenericKD.41536489
Sophos - Troj/VB-KJM
Emsisoft - Trojan.GenericKD.41536489 (B)
| Hyuk Kim <operation@mabong.co.kr> | cable.net.co
jame.com
mabong.co.kr |
August 26th, 2019 | Mt. Yue You 901 V1911// SIME// CP 28TH AUG 2019 // Loading 10,000mt | Emsisoft - Trojan.GenericKD.32306233 (B)
BitDefender - Trojan.GenericKD.32306233
Arcabit - Trojan.Generic.D1ECF439
Kaspersky - HEUR:Backdoor.Win32.Androm.gen
| Ms.Zhu Qin <operation@waibert.com> | mail1.tandler.de
royalsingi.com
secure.myportalhost.com
waibert.com |
August 26th, 2019 | RE: PRE-ARRIVAL DOCS AT YOSU(MT. BOW ASIA) | Cyren – CVE-2017-11882.E.gen!Camelot
Ad-Aware - Exploit.CVE-2017-11882.Y
DrWeb - Exploit.ShellCode.69
Avast - Other:Malware-gen [Trj]
NANO-Antivirus -Exploit.Ole2.ShellCode.fpfqba -
TrendMicro - Trojan.W97M.CVE201711882.SM6
| Bow Asia <Bow.Asia@thomefleet.net> | spin.electroputere.ro
thomefleet.net
electroputere.ro |
August 27th, 2019 | Quotation Request // MV Southern Sunset V.100392-Home | GData - Trojan.SpamMalware-RAR.Gen
Arcabit - Trojan.SpamMalware-RAR.Gen
BitDefender - Trojan.SpamMalware-RAR.Gen
Rising - Trojan.Injector!1.B459 (CLASSIC)
FireEye - Trojan.SpamMalware-RAR.Gen | ba19a09a68@8aaafd712c3abb9d.jp | No reported targets |
August 29th, 2019 | Port agency appointment for M/V COSCO | GData - Trojan.GenericKD.41650797
FireEye - Trojan.GenericKD.41650797
BitDefender - Trojan.GenericKD.41650797
AVG - Win32:Trojan-gen
Avast - Win32:Trojan-gen
Microsoft - Trojan:Win32/Fuerboos.C!cl
Fortinet - W32/Injector.EHKV!tr
Sophos - Mal/Generic-S
| SMTECH Ship Management Co., Ltd <9daaa@9f2b4579b.com> | No reported targets |
August 29th, 2019 | MV Thalassini Voy. 09 // DA Request | Microsoft - Trojan:Win32/Wacatac.B!ml
BitDefender - Gen:Heur.PonyStealer.dn2@gm8qLSci
FireEye - Gen:Heur.PonyStealer.dn2@gm8qLSci
| Operation <caf9@062d2f8402b314d.net> | No reported targets |
About Wapack Labs
Wapack Labs is located in New Boston, NH. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
Comments