On 7-9 May 2019, Wapack Labs detected an increase in malicious emails with the spoofed sender field accounts@hhhmarine.com.sg. Hackers deliver malicious attachments under the pretense of an incoming SWIFT transfer (Figure 1).
Figure 1. Email text spoofing HHH Marine Services on 8 May 2019.
The attackers use the popular malware Lokibot. Wapack Labs detected communications of these samples to known and new Lokibot C2s:
- kbfvzoboss[.]bid/alien/fre.php
- carlos-tevez[.]gq/raphael/fre.php
- uenajrkja[.]ml/chibyke/fre.php[1]
HHH Marine & Logistics is a marine transportation and logistic services for shipping, offshore and oil and gas companies. HHH handles transport services with in-port and outbound supply boats, high-speed agent boats, harbor launch, marine logistics, warehousing, air and sea freight services within Singapore, Indonesian and Malaysian waters.
While we are seeing a significant spike in May 2019, the first use of spoofed email address account@hhhmarine.com.sg goes back to as far as 30 Nov 2017.
Prepared by: Yury Polozov
Serial: TR-19-134-002
Report Date: 05142019
Country: SG, UK, RO
Industries: Maritime, Financial
[1]virustotal.com/gui/file/4c1bcbcdfac5d6ad0c3730ed6cdf5cefc86f429cef1366905ca87e158b3c72fd/details
Comments