Red Sky Alliance regularly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels, parent companies, and ports. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Significant Vessel Keys Words:
Figure 1. Map displaying location of attacker domains
Figure 2. Map displaying location of victim domains
Figure 3. Distribution of attacker and target domains
Table 1: List of dates, subject lines, malware detections, and sender data seen in Red Sky Alliance’s malicious email collection from last 30 days. Information extrapolated from the Subject Line. Full Table Attached.
The five most common subject lines seen in our recent query are as follows:
- Material For shipment / Maersk-Line-Logistic
- VSL: VALADON, QUOTATION
- Maersk : Arrival Notice ready for Bill of Lading 209530072.
- MV CMA CGM THALASSA - DG TC ABB TPL65-A10
- SEA SHIPMENT
There are several themes represented by the subject lines seen. Specifically, we can see notices of container arrivals, vessel communications, along with shipping notifications and requests. These emails are seen to utilize common terminology in order to establish credibility. This credibility can make for a solid lure. In terms of the sending emails themselves, we can see impersonations of companies in many industries. Notably, we see Bulgarian freight transport companies, Vietnamese logistics companies, telecommunications companies, Chinese email providers, the Polish Mountaineering Association, and Russian tailoring services.
In addition to impersonating these companies and various types of communication, these emails are also seen to be impersonating specific vessels. Some of the vessels being impersonated by these emails include the following:
- CMA CGM Thalassa (pictured at the beginning of this report), a container ship en route to Panama Canal, sailing under the flag of Malta.
- Sun Unity (pictured above), a cargo ship en route toe FJHD Shipyard, sailing under the flag of Panama.
- Chailease Cherise, a bulk carrier en route to Tanjung Bara, sailing under the flag of Liberia.
- SNP Sky, a cargo ship en route to Novorossiysk, sailing under the flag of Vanuatu.
- Yin Fu, a bulk carrier en route to Shanghai, sailing under the flag of China.
As one might expect, fabricating a vessel name is not difficult, but using a real ship’s name does not take much effort and could result in an increase of credibility.
The top five most prevalent malware detections associated with these emails are as follows:
- Gen:Variant.Lazy.253409 (B) – Emsisoft
- JS:Trojan.Cryxos.10054 - Ad-Aware
- Win32:PWSX-gen [Trj] – Avast
- Mal/DrodRar-AIC – Sophos
- Win32/Injector.ESFA - ESET-NOD32
Commonly, these emails are seen attempting to propagate generic trojans like Gen:Variant.Lazy.253409, Win32:PWSX-gen, or Win32/Injector.ESFA. Trojans marked with the Gen:Variant.Lazy indicator we have been seeing for approximately one year, with a heavy detection rate during July of 2022. Win32:PWSX we have been seeing since August of 2018. “Generic” trojans can have a wide range of applications, such as hindering user activity, collecting machine and user information, or potentially downloading other malware. Others can be more flamboyant about their activities like JS:Trojan.Cryxos, which is known to interrupt user activity and claim that browsers are “locked” and user information is being “stolen” in an attempt to get the user to call a fake customer support number for assistance. We have been seeing Cryxos trojan detections since 2016, most prominently during the summer of 2017 and an extreme resurgence during July of 2022. Mal/DrodRar-AIC is a file infector that we have been seeing since late 2020. File infector malware is a type of malware that is capable of infecting files for the sake of spreading to other systems. Malicious code is attached to a variety of files (.exe, .dll, .sys, etc.) and this type of malware is often used for delivering payloads of downloading other malware.
These analytical results illustrate how a recipient could be fooled into opening an infected email and what sorts of dangers can accompany these emails. It is common for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
Fraudulent emails designed to make recipients hand over sensitive information, extort money, or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is important to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to identify a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
About Red Sky Alliance
Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending cyber-attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings