The case for pre-emptive defence
Vessel Impersonation Report
Tactical Cyber Intelligence Reporting
Vessel Impersonation Report Feb Wk4
|First Seen||Subject Line Used||Malware Detections||Sending Email||Targets|
|Feb 20, 2020||ARRIVAL NOTICE MV. TAHO EUROP||Trojan:Win32/Vigorf.Afirstname.lastname@example.org||Target not disclosed|
|Feb 21, 2020||RE : MV OCEAN PRIDE V083 - PORT AGENT NOMINATION||Trojan:Win32/Wacatac.C!ml||"FAR EAST LINES LIMITED" email@example.com>||Target not disclosed|
|Feb 21, 2020||M.V. \xe2\x80\x9c Ever Success\xe2\x80\x9d docking repair on mid of Mar||Trojan:Win32/Lokibot.ART!eml||"Stavros Labrinakos" firstname.lastname@example.org>||taxgate.gr|
|Feb 21, 2020||NOMINATION//MV SHINSUNG BRIGHT V20004 KWG-NSA DISH STEEL PRODUCT 5700MT\r\n (POSCO)||Trojan:Win32/Wacatac.Cemail@example.com||e1.co.kr|
|Feb 23, 2020||Ocean Network Express (Europe) Ltd:BL/OLYAEYSZPBP1110-75370021||Trojan:Win32/Wacatac.D!ml||“7ZWc7J287ZmY6rK96riw7Iig “firstname.lastname@example.org||naver.com|
|Feb 24, 2020||BUNKER ESTIMATE - M/V GOLDEN STAR||Trojan:Win32/Tiggre!ctv||OPERATIONS@LABCOSULICH.COM||Target not disclosed|
|Feb 24, 2020||Fwd: RE: M/T TORM HARDRADA V.203- PDA REQUIRED FOR LOADING BARSAH\r\n LIGHT CRUDE OIL.||Trojan:Win32/Sonbokli.A!cl||“Grabiel Alexander Ordinola Gonzales” email@example.com||holascharff.com|
|Feb 25, 2020||OCEAN BREEZE CHARTERING ORDER LIST P.O #345267||Trojan:Win32/Wacatac.C!ml||"Mamunul Hoque" firstname.lastname@example.org||Target not disclosed|
|Feb 25, 2020||MV LUCKY SOURCE V.2003 - EPDA OF DISCHARGE STL PRODUCTS AT HK PORT||Trojan:Win32/Wacatac.D!ml||"email@example.com" firstname.lastname@example.org||Target not disclosed|
|Feb 25, 2020||RE: RE: M/T TORM HARDRADA V.203- PDA REQUIRED FOR LOADING BARSAH||Trojan:Win32/Sonbokli.A!cl||"FPSHIPPING(SINGAPORE)PTE.LTD." email@example.com||holascharff.com|
|Feb 26, 2020||FW: MV PACIFIC SELINA- Dry-docking Repair Specification||Trojan:Win32/VBObfuse.SO!eml||CHINA SHIPPING BULK CO., LTD firstname.lastname@example.org||Target not disclosed|
|Feb 26, 2020||Re: Nord Treasure - Calling Port Elizabeth // Items for Quotation//||Trojan:Win32/Sonbokli.A!cl||Master.NordTreasures@telaurus.net>||telaurus.net|
In the above collection we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we see a large percentage of these malicious emails attempting to deliver Wacatac, both C and D variants showing up. Vessel names seen include “MV. TAHO EUROP”, and “M/T TORM HARDRADA” among others.
An email was observed attempting to impersonate “MV Golden Star” using a subject line of “BUNKER ESTIMATE – M/V GOLDEN STAR”. According to maritimetraffic.com, this name is very common and used by multiple different carriers.
Analysis reveals that the malicious email was sent from a typo squatted domain. The sender domain is “Labcosulich[.]com” which is an apparent typosquat on the legitimate domain owned by an Italian marine/energy services company Lab Cosulich Consultants – “labcosulichconsultants[.]com”
The message contains an attached Excel spreadsheet identified by Microsoft as the Trojan:Win32/Tiggre!ctv malware. The message body consists of a bunkering order for the vessel, and the different costs associated with said order. However, opening the attachment titled “MV-GOLDEN STAR.xlsx” could activate the malware. Trojan:Win32/Tiggre!ctv is Windows malware which commonly infects victims to use their computing resources for crypto mining.
In another example, we see an email attempting to impersonate the vessel “M/T TORM HARDRADA” using the subject line “RE: RE: M/T TORM HARDRADA V.203- PDA REQUIRED FOR LOADING BARSAH”.
The vessel name belongs to a Singaporean crude oil tanker destined for Veracruz, Mexico. Analysis of the email shows it was sent to a Peruvian freight company called Scharff. The email is sent from a Google mail server, but the sender identifies themselves as part of FP Shipping which is a Singaporean freight company..
An attachment titled “MT TORM HARDRADA.xlsx” is identified by Microsoft antivirus engine as Trojan:Win32/Sonbokli.A!cl. This malware uses Powershell to connect to command and control servers to download additional malware on the victim device.
Lastly, a malicious email was sent from an “Ever Grand Logistics Limited”, specifically Hunter Yang. The email was sent and received from the same email; however the reply-to email is a Gmail account – “johnybmt@gmail[.]com”. This email has been used to target multiple other maritime targets as far back as July 2019. The subject line “NOMINATION//MV SHINSUNG BRIGHT V20004 KWG-NSA DISH STEEL PRODUCT 5700MT\r\n (POSCO)” suggests the message contains information about the vessel. However, the email actually contains Trojan:Win32/Wacatac.C!ml malware disguised as “MV SHINSUNG BRIGHT V20004.rar”. The message comes across as very polite, but it is clear from the sentence structure that the email sender is not a native English speaker.
Our Experts Say
Weekly Maritime Watchlist
Top 5 Malicious Maritime Email Senders
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.