On 7-9 May 2019, Wapack Labs detected an increase in malicious emails with the spoofed sender field accounts@hhhmarine.com.sg.  Hackers deliver malicious attachments under the pretense of an incoming SWIFT transfer (Figure 1).

Figure 1. Email text spoofing HHH Marine Services on 8 May 2019.

The attackers use the popular malware Lokibot.  Wapack Labs detected communications of these samples to known and new Lokibot C2s:

  • kbfvzoboss[.]bid/alien/fre.php
  • carlos-tevez[.]gq/raphael/fre.php
  • uenajrkja[.]ml/chibyke/fre.php[1]

HHH Marine & Logistics is a marine transportation and logistic services for shipping, offshore and oil and gas companies.  HHH handles transport services with in-port and outbound supply boats, high-speed agent boats, harbor launch, marine logistics, warehousing, air and sea freight services within Singapore, Indonesian and Malaysian waters.

While we are seeing a significant spike in May 2019, the first use of spoofed email address account@hhhmarine.com.sg goes back to as far as 30 Nov 2017.

 

Prepared by:  Yury Polozov
Serial: TR-19-134-002
Report Date: 05142019
Country: SG, UK, RO
Industries: Maritime, Financial

 

[1]virustotal.com/gui/file/4c1bcbcdfac5d6ad0c3730ed6cdf5cefc86f429cef1366905ca87e158b3c72fd/details

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!