The case for pre-emptive defence
Vessel Impersonation Report
Tactical Cyber Intelligence Reporting
|First Seen||Subject Line Used||Malware Detections||Sending Email||Targets|
|Apr 27, 2020||WG: RE : URGENT!!! SHIPPING DOC BL,SI,INV#462345 // MAERSK KLEVEN V.949E||HEUR:Exploit.MSOffice.Generic||"Babel Markus (Gechter GmbH)" Markus.Babel@gechter.com||Dresel Sven Sven.Dresel@gechter.com|
|Apr 28, 2020||RE: VESSEL NOMINATION : MV SAND TOPIC OR SUB FOR 55,000 MT (+/-10%)\r\n OF AUSTRALIAN WHEAT TO KOH SICHANG, THAILAND , SHIP PERIOD : 15 MAY-15 JUNE\r\n 2020||Trojan:Win32/Tiggreemail@example.com||Target Not Disclosed|
|Apr 28, 2020||Re:Re:re Shipping Maersk AWB||Trojan:Win32/Wacatac.Cfirstname.lastname@example.orgemail@example.com|
|Apr 28, 2020||M/V Amir Joy PDA-REQUESTb||Trojan:HTML/Phish||Nguyen Linh firstname.lastname@example.orgemail@example.com|
|Apr 28, 2020||PROFORMA REQUEST / MV SEA CHAMPION / Voy: 14508 /||Trojan:Script/Oneeva.A!ml||"Dadaylilar Shipping Group" firstname.lastname@example.orgemail@example.com|
|Apr 28, 2020||RE : RE : URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 // MAERSK KLEVEN V.949E // CLGQOE191781 //||HEUR:Exploit.MSOffice.Generic||"A.P. Moller - Maersk" firstname.lastname@example.org||Target Not Disclosed|
|Apr 29, 2020||MV EVER IMPERIAL V-29 / Agency Appointment at Newcastle||Trojan:Win32/Wacatac.C!ml||Sasaki Shu email@example.comfirstname.lastname@example.org|
|May 1, 2020||Shipment // CH2 Invoice - PI- #5342430 -SEA Cargo||Trojan:Win32/Wacatac.C!ml||DHL=C2=A0Express||Target Not Disclosed|
In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a large percentage of these malicious emails attempting to deliver Windows trojan malware. Some of the new vessel names used this week include “MV EVER IMPERIAL” and “MV SEA CHAMPION” among others. Notably, we observed “Maersk Kleven” again in our malicious emails index.
Analysts observed another malicious email containing the subject line used last week, “WG: RE : URGENT!!! SHIPPING DOC BL,SI,INV#462345 // MAERSK KLEVEN V.949E.” However, this week the email sender and recipients are different. Last week, the emails were being sent from “A.P. Moller – Maersk.(Shanghai, Head Office),” whereas “Babel Markus (Gechter GmbH)” is the sender in this case. Gechter is identified as a German “(Machine) press specialist.”
The email was sent from one employee (Markus) to another employee at the company (Sven). Malicious emails sent within the company tend to be more successful as they are less likely to get caught in mail filters. Many variants of malware use contact lists to propagate across company networks.
It appears that the email originating from last week’s Shanghai Maersk sender targeted Markus Babel, a Sales Manager at Gechter GmbH. The email data was then forwarded from Markus’ email address, in .dat format, to Sven Dresel. It is unclear if this was done intentionally as a security notification or if this is part of the malware infection process. There was no message body observed in the forwarded version of the email which is suspicious.
In a separate malicious email, with subject line “M/V Amir Joy PDA REQUESTb” analysts observed attackers impersonating the “procurement” division of a company. As with many malicious emails, the salutation is generic – “Dear sirs,.”
The email attachments, when opened, immediately trigger an alert from a Windows AV engine. The malware is identified as a phishing attempt “Trojan:HTML/Phish.” When each file is opened (“vsl partl Amir1.doc” & “Vssl Picture.xlsm”), it activates a Microsoft sign-in prompt. Notably, the Excel file is .xlsm indicating that macros are enabled.
The email in this case targets a recipient at naver[.]com. Naver is a South Korean online news/search portal. Once the employee enters their credentials into the MS prompt, they would be captured and sent back to the attacker. The attacker can then commit supply chain attacks and target other employees at the company.
The message body of the email mentions the Motor Vessel Amir Joy and the discharge of 18,000 MT of potatoes. As with many malicious emails, there are grammatic and spelling issues. Also noticeable is the lack of professional signature from “Ms. Alma Jones.” Many professionals sign their vessel documentation emails with their contact information and/or a company logo. It is unclear which “office” Alma Jones is coordinating, as the sending domain does not appear to be registered to any legitimate company, let alone one in the maritime industry.
Our Experts Say
Weekly Maritime Watchlist
Top 5 Malicious Maritime Subject Lines
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.