Vessel Impersonation 10 25 2019

3680034715?profile=RESIZE_710xWeekly 2019 Motor Vessel (MV) & Motor Tanker (MT) Impersonation

Wapack Labs performs weekly queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.  Wapack Labs is providing this weekly list of Motor Vessels in which Wapack Labs directly observed the vessel being impersonated, with associated malicious emails.  The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.  

Significant Vessel Keys Words:

MT, M/T

merchant tanker

MV, M/V

merchant vessel

MY, M/Y

motor yacht

VLCC

very large crude carrier

ULCC

ultra large crude carrier

RV, R/V

research vessel

FPSO

floating production storage & offloading

3680027844?profile=RESIZE_710xFigure 1.Geo-location of receiving IPs of the malicious emails. Location is not exact and is approximate location of the receiving IP gathered from Wapack Lab’s malicious email collection.

3680028042?profile=RESIZE_710xFigure 2. Geo-location of sender IPs of the malicious emails. Location is not exact and is approximate location of the sender IP gathered from Wapack Lab’s malicious email collection.

Table 1: List of subject lines, motor vessel, type of malware sent and sender data that was seen in Wapack Lab’s malicious email collection from October 17, 2019 to October 25, 2019.

 

First Seen

 

Subject Line Used

 

Malware Detections

 

Sending Email

 

Targets

October 17th 2019

ARRIVAL NOTICE // MINH DUC // M/V INVICTA 002S ETA 18 OCT

CAT-QuickHeal - Exp.RTF.Obfus.Gen

 

NANO-Antivirus - Exploit.Rtf.Heuristic-rtf.dinbqn

 

Ikarus - Exploit.RTF.Doc

 

DrWeb - Exploit.Rtf.CVE2012-0158

 

Cyren - RTF/Agent.DZ

HUMANE>hmlx.co.kr <bjh@teramicro.co.kr>

dwchem.co.kr

 

hmlx.co.kr

 

teramicro.co.kr

 

fastfreight.co.th

October 17th 2019

Urgent Quotation No.:23611472 : REQUISITION 047ENG/110/19- M/V Eagle

Exp.RTF.Obfus.Gen - CAT-QuickHeal

 

NANO-Antivirus - Exploit.Rtf.Heuristic-rtf.dinbqn

 

Cyren - RTF/Agent.DZ

 

Zoner - Probably RTFObfuscationD

 

DrWeb - Exploit.Rtf.CVE2012-0158

 

Ikarus - Exploit.RTF.Doc

 

Kaspersky - HEUR:Exploit.RTF.CVE-2017-11882.gen

Y.Jang- EH ENGI <tacdmk4@transaircargo.com>

relay2.thaicloudsolutions.com

 

choctaw.org

 

eheng.co.kr

 

redcondor.net

 

transaircargo.com

 

 

 

October 21st 2019

RE: M.T. SWAN BALIC Q060005531 - 0611126

Mal/DrodZp-A - Sophos

 

BitDefender - Trojan.SpamMalware-RAR.Gen

 

McAfee - Artemis!C8BE2E68AE1F

 

Kaspersky - HEUR:Trojan.Script.Generic

 

Microsoft - Trojan:Win32/Conteban.B!ml

 

GData - Trojan.SpamMalware-RAR.Gen

 

Arcabit - Trojan.SpamMalware-RAR.Gen

\"BALTIC SHIP SERVICES (S) PTE LTD\" <agency@balticgrp.com>

ve1eur03ft004.eop-eur03.prod.protection.outlook.com

 

balticgrp.com

 

server15116.comalis.net

 

am6p192ca0028.eurp192.prod.outlook.com

 

srv3016.sd-france.ne

October 21st 2019

ARRIVAL NOTICE//MV OCEAN TRADER

TrendMicro -Trojan.X97M.CVE201711882.PVSGP

 

Kaspersky -

HEUR:Exploit.MSOffice.Generic

 

ClamAV - Doc.Dropper.Agent-7343801-0

 

Sophos - Exp/20180802-B

 

ZoneAlarm -HEUR:Exploit.MSOffice.Generic

Andres Felipe Arias Jimenez (Oficina de Informatica)

<afarias@ideam.gov.co>

ideam.gov.co

In the above collections for MV Invicta, MV Eagle, MT Swan Balic and MV Ocean Trader we see malicious actors using these vessel names to try and spoof companies in the maritime supply chain.

3680037527?profile=RESIZE_710x

Figure 3. Marine Traffic results for M/V Invicta

MV Invicta is an actual container ship operating under the flag of the Marshall Islands, located in the Pacific Ocean.  Analysis reveals that an email was sent to: dwchem.co.kr.  This domain name is registered to Dongwoo Fine-Chem Co. located in South Korea and operates as a developer and manufacturer of semi-conductor chemicals.  The Company produces hydrogen peroxide, sulphuric acid and other chemicals and provides these products for the cleaning and etching processes of semi-conductor manufacturing.  The malware that was attempted to be sent to Dongwoo is Exploit.Rtf.CVE2012-0158[1], which is malware that attempts to exploit vulnerabilities in Microsoft Office. The subject line of the malicious email is: “ARRIVAL NOTICE // MINH DUC // M/V INVICTA 002S ETA 18 OCT”.

3680041202?profile=RESIZE_710xAn unsuspecting employee at the Dongwoo Fine-Chem company, would see an email with this Subject Line from a legitimate container ship, the MV INVICTA, and then may be tempted to open the email to see the details of the container ships apparent arrival.  If this malware is delivered, with any of these exploits, the chemical company could then become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine / oil and gas supply chain with additional malware.

 3680043186?profile=RESIZE_710x

Figure 4. MV Eagle info from Marinetraffic.com

In the second example, we see a subject line of: “Urgent Quotation No.:23611472 :REQUISITION 047ENG/110/19- M/V Eagle”.   The intended target was the EH Engineering Co. in South Korea. The MV Eagle is a real Norwegian flagged cruise ship and EH Engineering Co. is a legitimate engineering company specializing in providing engineering solutions for the maritime industry. At first glance by an employee at EH Engineering, it would appear that a heavy load carrier ship is sending an urgent quotation.  This could mean a business opportunity and would likely entice an unsuspecting employee to click on the email and thus download malware like the listed HEUR:Exploit.RTF.CVE-2017-11882.gen, detected by Kaspersky.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using preemptive information from Wapack Labs RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Black Lists offers a proactive solution to stopping cyber-attacks.  Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts are beginning to see maritime-specific examples of these attacks.  A recent incident in the Gulf of Guinea saw cyber criminals send spoof emails requesting a cargo manifest, with a view to possibly attacking the vessel and targeting the containers with the highest-value contents. 

The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.[2]

It is imperative to:

  • Train all levels of the marine supply chain to realize they are under constant cyber-attack.
  • Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
  • Provide practical guidance on how to identify a potential phishing attempt.
  • Use direct communication to verify emails and supply chain email communication.
  • Use Wapack Labs RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.

 

About Wapack Labs

Wapack Labs is located in New Boston, NH.  We are a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.

 

[1]https://www.virustotal.com/gui/file/509db5337a1e95bf43d05c8342aa58520d41e56bf255ceffdba9ff82b9c498d5/detection

[2] https://www.rivieramm.com/opinion/opinion/beating-cyber-criminals-calls-for-constant-vigilance-56444

You need to be a member of Red Sky Alliance to add comments!