The case for pre-emptive defence
Vessel Impersonation Report
Tactical Cyber Intelligence Reporting
|First Seen||Subject Line Used||Malware Detections||Sending Email||Targets|
|May 4, 2020||Arrival Notice of B/L#MEDUMH151885 on Maersk received||JS/Phish.AB38!tr||"Maersk Line" noreply@Maersk.com||GMONEDA@bancolombia.com.co|
|May 5, 2020||DHL PRE-ALERT NOTIFICATION: IDN-H-MOH // CIP-OCEAN||W32/Injector.ELTMfirstname.lastname@example.org||Received email@example.com|
|May 6, 2020||// SHIPMENT ADVISE // SEA SHIPMENT/28CTNS HB/L # DAC0024943 COB: 06-MAY-2020||Trojan:Win32/Wacatac.C!ml||Yusen Logistics Group Ltd firstname.lastname@example.orgemail@example.com|
|May 7, 2020||PROFORMA REQUEST / MV SEA CHAMPION / Voy: 14508 /||HEUR:Exploit.MSOffice.Generic||"Dadaylilar Shipping Group" firstname.lastname@example.orgemail@example.com|
|May 8, 2020||RE: MV TBN T e-PDA||TrojanSpy:Win32/Swotter.A!bit||Patty Chao firstname.lastname@example.orgemail@example.com|
|May 8, 2020||PDA REQUEST LINER IN BASIS - MV COCO GYUN - LOADING||Exploit:O97M/CVE-2017-11882.ARJ!MTB||"Cunda Shipping Ltd" firstname.lastname@example.orgemail@example.com|
|May 9, 2020||RE: HBL with vessel details||Trojan:Win32/Wacatac.Dfirstname.lastname@example.orgemail@example.com|
|May 9, 2020||VSL: ABALONE, QUOTATION: ABL-S205044A, VENDOR: JONGHAP MARITIME INC||Exploit:O97M/CVE-2017-11882.ARJ!MTB||"Shenzhen Cloud Sailing Co., Ltd"firstname.lastname@example.orgemail@example.com|
In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a large percentage of these malicious emails attempting to deliver Windows trojan malware. Some of the new vessel names used this week include “MV COCO GYUN” and “MV SEA CHAMPION” again this week, among others.
Analysts observed another malicious email containing the subject line used last week, “VSL: ABALONE, QUOTATION: ABL-S205044A, VENDOR: JONGHAP MARITIME INC.” The email was sent from a “sales” email belonging to Shenzhen Cloud Sailing Company out of China. Notably the reply-to email address was one different from the sender and in this case was a Gmail account (firstname.lastname@example.org).
The target of this email was an email address belonging to GICOM, a Dutch computing systems company. The email address that was targeted in this case was publicly available on their “Contact Us” page. There is no clear connection between GICOM, and the vessel mentioned in the email – MV Abalone.
The malicious email attachment was an .xlsm file which is an Excel file with macros enabled. This is a common filetype sent by attackers. The filename appears to be the same as the requisition number mentioned in the email text. It contains Exploit:O97M/CVE-2017-11882.ARJ!MTB.
CVE-2017-11882 is a remote code execution vulnerability which exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run code as the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights, further emphasizing the implementation of the zero-trust principle.
In a separate malicious email, with subject line “RE: MV TBN T e-PDA” analysts observed attackers impersonating someone named ‘Patty Chao’ at Conveyor, a Taiwanese shipping logistics company. The name associated with the email address is Patty “Chao,” however, the email address is “patty.choa.” Notice the difference in the spelling of the last name.
Again here, we see a generic greeting “Dear sirs,” which is commonly used by attackers as templates for other malicious email campaigns. Because there is nothing about a specific ship/company in the message body, it could easily be copied for use in other emails. The email sender also provides a different email in the email signature (email@example.com) than that listed as the sender address (firstname.lastname@example.org).
The email attachment references a ship that is still to be named (MV TBN) which means the attachment can be reused in other malicious emails as well. The attached file is a .arj file which is an old archived file. The filename includes the phrase “Docx” to trick the target into thinking they are opening a .docx Word file.
What’s actually being activated is the backdoor trojan identified as TrojanSpy:Win32/Swotter.A!bit malware. This malware first creates a 7zip process to unzip the .arj file. Once the archived file is unzipped the “mv tbn spec-vsl particular.exe” process is created, and the malware continues to infect the device.
The targeted email address does not appear to be a public email and is not listed anywhere on the company’s website. It does not appear to be addressed to any one employee but is possibly a group/department email address. There is no additional context provided for the recipient at this time.
Our Experts Say
Weekly Maritime Watchlist
Top 5 Malicious Maritime Subject Lines
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.