The case for pre-emptive defence
Vessel Impersonation Report
Tactical Cyber Intelligence Reporting
|First Seen||Subject Line Used||Malware Detections||Sending Email||Targets|
|Mar 16, 2020||TNT Express delivery Consignment Notification||Trojan:Win32/Injector.MU!MTBfirstname.lastname@example.orgemail@example.com|
|Mar 16, 2020||RE: Mv Pacific Harmony - CTM - Sattahip - 16.03.2020||Trojan:Win32/Wacatac.Cfirstname.lastname@example.orgemail@example.com|
|Mar 17, 2020||MV Jackie B / PDA / Discharging about 32,600 Mts of Corn/Maize||Trojan:Win32/Occamy.Cfirstname.lastname@example.orgemail@example.com|
|Mar 17, 2020||Fw: Re: Machine Spare Enquiry From China Marine Bunker(Petro\r\n China)Co., Ltd||Trojan:Win32/Wacatac.Cfirstname.lastname@example.org||Mr Gong Yenadmin@genogan.cf|
|Mar 17, 2020||RE : RE : URGENT|
SHIPPING DOC BL,SI,INV
462345 // MAERSK KLEVEN V.949E // CLGQOE191781 //
|Mar 17, 2020||VSL: MV FORTUNE TRADER||Exploit:O97M/CVE-2017-11882!MTB||Oriental Logistics Group Limited email@example.com||Target not disclosed|
|Mar 18, 2020||Arrival Notice For BL - 713010031110 / Vessel - TAICHUNG / Voyage -\r\n 046C||Trojan:Win32/Sonbokli.A!cl||"Capt. Liu Yun kung" firstname.lastname@example.org||Target not disclosed|
|Mar 18, 2020||MT PV Oil Jupiter / 3-17-2020 - Freight remittance||Trojan:Win32/FormBook.AQ!MTB||Nova Marine Carriers SA email@example.com||Target not disclosed|
|Mar 18, 2020||Re: M.V. Genco Claudius call Dongwu/Mei zhouwan guotou pier disch coal - port information enquire||Trojan:Win32/Wacatac.D!ml||"Capt. E. Tei" firstname.lastname@example.orgemail@example.com|
|Mar 18, 2020||Fwd: order confirmation||Trojan:Win32/Occamy.Cfirstname.lastname@example.orgemail@example.com,|
|Mar 18, 2020||GLOBAL LOGISTICS LCL IMPORT SAILING CONSOL - MARCH 2020||Trojan:Win32/Wacatac.C!ml||Wesley MAYERS firstname.lastname@example.orgemail@example.com|
In the above collection we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a large percentage of these malicious emails attempting to deliver Windows Wacatac and Occamy Office malware. Some of the new Vessel names used this week include “MT PV Oil Jupiter” which and “MV FORTUNE TRADER” among others.
An email was observed attempting to impersonate “MV Fortune Trader” using a subject line of “VSL: MV FORTUNE TRADER.” The sender claims to be part of Oriental Logistics Group Limited which a shipping entity based out of Taipei, Taiwan.
Analysis reveals that the malicious email was sent from a legitimate domain owned by an Indonesian mechanical & electrical engineering company, PT. Inti Persada Nusantara. Although the targets are undisclosed, analysis of the email headers indicate that the victims are based in Japan. It is unclear if these attackers have taken control of a legitimate email or if the email sender is spoofed in this case.
The message contains an attached .xlsx file (Excel spreadsheet) identified by Microsoft AntiVirus engine as the Exploit:O97M/CVE-2017-11882!MTB malware. The message body asks the victim to open the attached file to view attached “requisitions” for the vessel listed above. However, opening the attachment document titled “MV FORTUNE TRADER.xlsx” could activate the malware.
In another example, we see an email attempting to impersonate the shipping giant “Maersk” using the subject line “RE : RE : URGENTSHIPPING DOC BL,SI,INV462345 // MAERSK KLEVENV.949E // CLGQOE191781 //.” As with the majority of subject lines, this one entices the user to open the email by using the phrase “urgent shipping doc.” The sender also adds “Re:Re:” which is a common tactic to make it appear as if the victim has already discussed this subject with the sender and it’s part of an email chain.
A subtle indication that the sending email is malicious is the extra “o” in the sender email “firstname.lastname@example.org” which would easily be overlooked by someone assuming the sender is legitimate. Attackers commonly use this method to spoof and imitate legitimate mail senders. Many users would not stop to think that a “No Reply” email address probably would not generate an email chain since there would be no response from the “No Reply” sender.
An attachment titled, “Shipping Doc_Maersk Kleven V.949E_pdf.xz” is identified by Microsoft AV engine as Trojan:Win32/Predator.BD!MTB. This malware is a trojan-type infection that infects Windows computers and performs a number of malicious actions. The filename includes “PDF” to indicate that it’s a viewable document, but the .xz file extension indicates this is actually a zip file, containing the detected malware.
Our Experts Say
Weekly Maritime Watchlist
Top 5 Malicious Maritime Email Sending Domains
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.