Red Sky Alliance regularly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, and ports. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Significant Vessel Keys Words:
Figure 1. Map displaying location of attacker domains
Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. The full vessel report table is linked here ->Full Vessel Report.pdf.
Analyzing the subject lines shows similarities in these phishing attempts. In this sample a number of vessels are being impersonated. Common themes in the subject lines include loading calls, discharges, billing, arrival notices, and other seemingly legitimate shipping communications. The use of phrases commonly used within the industry is an attempt to establish credibility for the attacker. Analysts notice some emails using fake Purchase Orders, Remittances, and Pro-forma Disbursement Account Requests (PDA) to try scamming their victims. These are tempting lures for the recipient.
Most of the vessel impersonations use the name of real ships such as: M/V Truong Minh Sea currently in the Port Elizabeth Anchorage in South Africa, M/V RedHead currently moored in Lake Ontario, and M/V Glorious Sea heading to Madagascar from the United Arab Emirates. While it is easy enough to make up a vessel name, using a real ships name does not take much effort. Commercial vessels broadcast information about their location using AIS (Automatic Identification System) and this information can be used to track and identify ships. Sites like VesselFinder can provide further information including the vessels historical data, recent ports, destination and more.
In the Sending Email field, we noticed the impersonations of different logistics companies. These companies include Cosco Shipping Lines, Maersk, Ben Line Agencies, and DHL Customer Support. All of these are large and legitimate international companies. Other companies that show up as the sender on emails seem to be fake or overly generalized and do not represent existing companies. These include a sender “Invoicing <email@example.com>” which is clearly impersonating the legitimate Island Oil Holdings, switching out the “O” in oil with a “0”. Others include Coscon, Part Sales & Technical Service Team, and Operation Department.
A number of phishing campaigns reuse the same subject lines and send the malware to multiple targets. The lures they use apply generically to most ports, shipping companies, and vessels. Vessels that have been impersonated in multiple emails in this collection include MV Sea EverGold and MV Master.
Finally, in the email analysis, we noticed malware similarities. In most of the emails, we have noticed some form of Trojan virus. The most notable detections include Microsoft - Trojan:Win32/Wacatac.B!ml, Microsoft - Trojan:MSIL/ AgentTesla. AMZZ!MTBattached, Kaspersky - HEUR:Trojan-Spy.MSIL.SnakeLogger.gen and other generic trojans. Email samples also had attachments that exploit known Common Vulnerabilities and Exposures (CVEs).
One of the most common CVEs we noticed in the email collections was CVE-2017-11882. This CVE exploits the Microsoft Office Memory Corruption Vulnerability and allows for remote code execution. A patch for this CVE has been available since November of 2017, and if your Microsoft applications and antivirus software are up to date your systems should be able to detect this as malicious.
Another common CVE was CVE-2018-0802. This CVE allows for remote code execution and like CVE-2017-11882, it takes advantage of the way objects are handled in memory. The Microsoft Office Memory Corruption Vulnerability is the main issue that allows for remote code execution in Microsoft Office 2007, 2010, 2013, and 2016. This vulnerability was listed as a Zero-Day and was addressed in January of 2018.
A third common CVE detected was CVE-2017-0199. This CVE exploits a flaw with Windows Object Linking and Embedding to interface with Microsoft Office and deliver malware. Typically this makes use of malicious Rich Text Files (RTF) to deploy malware.
Wacatac detected as Trojan:Win32/Wacatac by Microsoft is a trojan malware that is often distributed using spam phishing emails. It is categorized as a trojan, password stealer, banking malware, and spyware. The trojan is used to collect credentials and banking information so malicious actors can facilitate online purchases and money transfers.
Agent Tesla, one of the prominent payloads in the malicious emails analyzed acts as a keylogger, downloader, password-stealer, and is capable of taking screenshots on infected machines. Agent Tesla has been around since 2014 and targets Windows machines.
It is worth noting that we have seen detections for the snake keylogger in phishing emails ever since it cracked the top 10 Most Wanted Malware list in July of 2021. The malware is spread predominantly through phishing campaigns and targets Windows users. The malicious payload has been reported being delivered via PDF files, Word Documents, and Excel Spreadsheets, typically with tags about Requests for Quotes (RFQs). According to Check Point Software Technologies the Snake Keylogger Malware currently ranks third on the July 2022 Most Wanted Malware list.
Generic trojans, which make up a significant portion of the email detections are malicious programs that use similar code and behavior to trojan malware. Trojan malware relies on tricking a victim into downloading a file that is hiding a malicious payload. While the installed file may look legitimate, these programs could be hiding processes to download further harmful programs, spy on victims, and steal information.
Trojan malware strains are commonly spread through phishing emails, usually by getting the victim to click a malicious link or download a malicious file disguised to look like a purchase order or invoice. A number of different file types are used to disguise the malicious payloads. These files include Word Documents, Excel Spreadsheets, PDFs, or RAR and Zip files, storing compressed files.
These analytical results illustrate how a recipient could be fooled into opening an infected email. It is common for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is important to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to identify a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
About Red Sky Alliance
Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings