On 7-9 May 2019, Wapack Labs detected an increase in malicious emails with the spoofed sender field firstname.lastname@example.org. Hackers deliver malicious attachments under the pretense of an incoming SWIFT transfer (Figure 1).
Figure 1. Email text spoofing HHH Marine Services on 8 May 2019.
The attackers use the popular malware Lokibot. Wapack Labs detected communications of these samples to known and new Lokibot C2s:
HHH Marine & Logistics is a marine transportation and logistic services for shipping, offshore and oil and gas companies. HHH handles transport services with in-port and outbound supply boats, high-speed agent boats, harbor launch, marine logistics, warehousing, air and sea freight services within Singapore, Indonesian and Malaysian waters.
While we are seeing a significant spike in May 2019, the first use of spoofed email address email@example.com goes back to as far as 30 Nov 2017.
Prepared by: Yury Polozov
Report Date: 05142019
Country: SG, UK, RO
Industries: Maritime, Financial