Weekly 2020 Motor Vessel (MV) & Motor Tanker (MT) Impersonation

Red Sky Alliance performs weekly queries of our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments. Red Sky Alliance is providing this weekly list of Motor Vessels in which Red Sky Alliance directly observed the vessel being impersonated, with associated malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

Significant Vessel Keys Words:

Figure 1 - Geo-location of sender IPs of the malicious emails. The location is not exact and is the approximate location of the sender IP gathered from Red Sky Alliance’s malicious email collection.

Figure 2- Geo-location of receiving IPs of malicious emails. The location is not exact and is the approximate location of the receiving IP gathered from malicious email collection.

Table 1: List of subject lines, motor vessel, type of malware sent, and sender data that was seen in Red Sky Alliance’s malicious email collection from 24 October 2020 to 31 October 2020.

First Seen	Subject Line Used	Malware Detections	Sending Email	Targets
Oct 26, 2020	RE: Arrival Notice and Port Clear BL#SE20100078/001	HEUR:Exploit.MSOffice.CVE-2017-0199.a	“Maersk Notification” <servlce@maersk.com>	Targets Not Dislosed
Oct 26, 2020	Request for Freight Quote.	Exploit:O97M/CVE-2017-0199.JK!MTB	“Evershining International Shipping Agency” <khalid@paddocksjeans.com>	Targets Not Dislosed
Oct 26, 2020	M/V MARZUK/ PDA	Trojan:Win32/FormBook.SS!MTB	Seahorse Maritime <opseahorse@maritime.ro>	kbkha.ru
Oct 26, 2020	Invoice From Leelloyds Marine Engineering Pte Ltd	HEUR:Trojan-Dropper.Java.Agent.gen	"Leelloyds@Singnet" <db6ce4@81e00a5b.com>	Targets Not Dislosed
Oct 27, 2020	MV PRABHU SAKHAWAT	TrojanDownloader:O97M/Donoff.RF!MTB	Wilhelmsen Ships Service <3fb1537e3c0@d8b31b9ec9.com>	963212c1fc.com
Oct 27, 2020	RE:Revised Inquiry Ships,boats	Trojan-Downloader.MSWord.Agent.buh	"Mrs Amira Rasheedi" <21232@f6a9f5dd64.ga>	f6a9f5dd64.ga
Oct 27, 2020	WG: Order Confirmation : Rfq: //TOP URGENT// Quote for Rio de Janeiro Ports/Terminals -Brazil	HTML/Agent.AQX!tr	Zentrale <info@schuch.de>	schuch.de
Oct 27, 2020	M/V PLATIN SHIPPING TBN// EPDA & PORT INFO REQUEST FOR LOADING ABT 60,325 MTNS OF UREA IN BULK	Trojan:Script/Foretype.A!ml	Platin Shipping Trading Co <f7235a61f@3ae52877e0.net>	5d104289d17.za
Oct 27, 2020	RE: MSC-Notice of Arrival for MSC B/L :MEDUAU647809/MSC ADITI/HC039A	PWS:Win32/Fareit!ml	"MSC - Mediterranean Shipping Company (Europe)" <saigonsan@tuguhotels.com>	msc.com
Oct 27, 2020	MV GRAECIAAETERNA-DISCHARGING OPERATION-60,000/10 MTS SBS	TrojanDownloader:O97M/Donoff.RF!MTB	Cofco International Freight S.A.<Elif 286c67@78569d273040d420ad.com>	30718da8.eg
Oct 27, 2020	Dredger (TSHD) \'mv GANG JUN 12,000 cbm/2013 FOR SALE/CHARTER	Trojan:Win32/Wacatac.C!ml	"MaxBridge-Mike[snp@max-bridge.com" <1812@0102366483ea15.tw>	0102366483ea15.tw
Oct 28, 2020	MV. SWEET LYDIA / Shanghai / Disc Wheat - Agency Appointment	Exploit:O97M/CVE-2017-0199.YT!MTB	lourdes@blg.co.id	Targets Not Disclosed
Oct 28, 2020	MAERSK LINE STATEMENT OF ACCOUNT OCTOBER 2020	Trojan:Win32/Woreflint.A!cl	Lily Yan<yan.chen@maersk.com>	edlw.ru
Oct 28, 2020	PFDA & PORT INFO REQUEST	Exploit:Win32/CVE-2017-11882!ml	DA Dept.Roxana Shipping CO.LTD<5c@e5fa59af818d8a.com>	2856d7ee3c.com
Oct 29, 2020	RE: [PS3] HMM VESSEL CALLING TC-HICT ON 06TH JUL @ HYUNDAI SINGAPORE	TrojanDownloader:O97M/Emotet.CSK!MTB	Pham Cong Minh <qualidade@tecnoval.ind.br>	hmm21.com
Oct 29, 2020	Re: MV HAPPINESS Tuticorin/V037/CONTRACT EXTENSION (EXTENDING CONTRACT)	Trojan:Win32/Wacatac.D5!ml	"HAPPINESS HAMID (CR)" <283e9319692f9e@a11723170a.com>	a82c8142cedb2da.com
Oct 29, 2020	FW: RE: RE: SEAI2009017 URGENT & FREIGHT DELAY	Exploit:O97M/CVE-2017-0199.RVA!MTB	"Silvi Lydiai" <caf9@6f20f7a90.com>	589ab18.com
Oct 30, 2020	=?utf-8?B?W+aKleizh+S6uuacjeWLmV0=?= Re: Bulk Cargo Shipment for ir@hannstar.com =?UTF-8?B?Ly/pgpPpkqfmloc=?=	Exploit:O97M/CVE-2017-11882!MTB	“Chen Xin” <felix.chen@longsailing.net>	hannstar.com
Oct 30, 2020	Nova Container Dispatch	TrojanDownloader:O97M/Emotet.CSK!MTB	“Mark Saldanha” <mark.s@marksanspharma.com>	marksanspharma.com
Oct 30, 2020	EPDA & PORT INFO REQUEST MV TBN	Exploit:Win32/CVE-2017-11882!ml	“M/V PLATIN SHIPPING.” <f7235a61f@3ae52877e0.net>	b71649.com
Oct 30, 2020	RE: MV TEAL BULKER afloating repair at PaxOcean Batam shipyard	Trojan:Win32/Wacatac.DD!ml	Pedro Ortiz Malave <c6cc8@e07e63d71eb9.com>	Targets Not Disclosed
Oct 30, 2020	MV PVTRANS OIL // INQUIRY PORT INFO & EPDA FOR DISCH. 30,325 MTNS OF UREA	HEUR:Trojan-Downloader.VBS.Agent.gen	Phuong Dong Viet Oil Transportation Joint Stock Company (PVTRANS OIL)<1d1d57@3051320ea530d.vn>	885f644a8.com
Oct 30, 2020	Request for Quotation : [RFQ} MV NYK#574499000	Exploit:O97M/CVE-2017-0199.BK!MTB	"Anna(Ms) / Assistant manager Business Management Team David E C" <business@hmmco.co.kr>	Targets Not Disclosed
Oct 31, 2020	Cargo Arrival Notice: BL No COSU6271832430	Trojan:JS/Phish.RVD!MTB	"Maersk" <arrival@maersk.com>	automationit.com
Oct 31, 2020	RE: HHMR - SAILING REPORT KAN VOY.022W	HEUR:Trojan.MSOffice.SAgent.gen	Hyundai Mars <alberto.pena@tya.com.mx>	hmm21.com

Figure 3 - Marine Traffic results for MV GRAECIA AETERNA

In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV Happiness” and “MV Marzuk” among others.

Analysts observed malicious subject line, “RE: MSC-Notice of Arrival for MSC B/L :MEDUAU647809/MSC ADITI/HC039A” used this week. Attackers routinely use shipping company-names in subject lines, to entice the target into opening the malicious emails and activating malware. In this case, attackers are using “MSC,” commonly an abbreviation for Mediterranean Shipping Company.

The sending address in this case impersonated an employee from the major shipping giant using the sending alias “"MSC - Mediterranean Shipping Company (Europe)." A closer look would show that the sending email address is saigonsan[at]tuguhotels[.]com which does not appear to be a legitimate email. The address has been observed impersonating numerous different entities to send malicious emails.[1]

The target of the email is a tax officer at MSC. The message body of the email indicates that the email sender does not speak English as their native language, which is not suspicious individually, but there are other indications that this is not a legitimate request. The email uses the generic greeting “Dear Info” which is slightly suspicious, as the targeted recipient is not “info[at]msc.com.” Another suspicious aspect of the email is the signature, assigned, “Best Regards, Finance Staff as Agent” and then lists the full MSC company name in the next line. The picture shown right below the signature includes an image saying “MORE INFO”, but this is just an image and does not actually link to any website. Finally, the attackers attempt to expedite the attack by claiming that an ‘invoice fee’ will apply if they do not receive a prompt response.

The name of the attached file, “TGL_MSC-20024169(BL DRAFT) .pdf.gz” is also suspicious. It implies that the attached file is a PDF, or even a compressed (zipped) file containing a PDF. The attachment actually contains a malicious executable file. When the user opens the malicious file, they would activate PWS:Win32/Fareit!ml malware. According to TrendMicro, the most common uses for this malware include:

Steals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software
Steals stored email credentials of different mail clients
Gets stored information such as usernames, passwords, and hostnames from different browsers
Performs brute-forcing capabilities on local accounts based on the acquired password list
Replicates other Remote Desktop Protocol (RDP) utilities’ mutexes to mask execution in the background, then deletes itself after execution
Downloads additional malware payload[2]

Analysts observed another malicious email subject line “MV PRABHU SAKHAWAT” this week. This vessel name has been used as part of the subject line, for at least five malicious emails, in the past six months. In the past attackers have used the following sending alias’ to send these malicious emails:

Sunnytrans Co., Ltd.
Wilhelmsen Ships Service
El bahlawan shipping

It is unclear why attackers are using this specific vessel name to target multiple different recipients at different companies. The attackers appear to be sending unique malware that attempts to exploit CVE-2017-8570 and CVE-2017-11882. The attached files are either MS Word documents or MS Excel spreadsheets (with macros enabled).

These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities, and/or shore companies in the marine, agricultural, and other industries with additional malware.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry and associated transportation supply line. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.

The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

Train all levels of the marine supply chain to realize they are under constant cyber-attack.
Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
Provide practical guidance on how to identify a potential phishing attempt.
Use direct communication to verify emails and supply chain email communication.
Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Blacklists to proactively block cyber-attacks from identified malicious actors.

About Red Sky Alliance

Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitorings in tandem with RedXray notifications on external threats to include, including botnet activity, public data breaches, phishing, fraud, and general targeting.

Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com