The case for pre-emptive defence
Vessel Impersonation Report
Tactical Cyber Intelligence Reporting
|First Seen||Subject Line Used||Malware Detections||Sending Email||Targets|
|Feb 14, 2020||MV OCEAN HERO : CTM DELIVERY||Trojan:Win32/AutoitInject.BH!MTB||"Remittance Dept" firstname.lastname@example.org||adsale-hk.com|
|Feb 14, 2020||CORONA VIRUS / AFFECTED VESSEL TO AVOID||VBS/Agent.VT!tr||World health organization email@example.com||ntu.edu.sg, portauthority.com|
|Feb 14, 2020||MV Ivy Ocean - agency appointment||Trojan:VBS/Sonbokli.A!cl||FAIRWIND INTERNATIONAL SHIPPING CO., LTD firstname.lastname@example.org||Target not disclosed|
|Feb 14, 2020||OCEAN BREEZE CHARTERING ORDER LIST P.O #345267||Trojan:Win32/Wacatac.C!ml||"Mamunul Hoque" email@example.com||mozadom.ml|
|Feb 16, 2020||MV WAF PASSION||Trojan:Win32/Wacatac.D!ml||"firstname.lastname@example.org" email@example.com||e1.co.kr|
|Feb 17, 2020||M.V. GLORY WISDOM discharging about 5,000mt of H-BEAM.||Trojan:Win32/Wacatac.D!ml||"Glory shipping Co., Ltd." firstname.lastname@example.org||Target not disclosed|
|Feb 17, 2020||VSL \"Mt Rainbow \" ETA. & PDA.||Trojan:Win32/Wacatac.D!ml||Leon z-Well Line Shanghaiteamops@welllinesh.com||lsnikko.com|
|Feb 17, 2020||RE: M.T. SWAN BALIC Q060005531 - 0610126||MSWord/Agent.BUH!tr||HUA SHIPPING|
TRADING GROUP email@example.com
|Feb 18, 2020||NOTICE OF ARRIVAL VSL M/T HANYU GLORY||Exploit:O97M/CVE-2017-11882.ARJ!MTB||HK Marine - OPS-ADMIN firstname.lastname@example.org||yamatosingapore.com|
|Feb 18, 2020||Port agency appointment for M/V OCEANIA||Trojan:Win32/Wacatac.D!ml||"Alvin Yew"email@example.com||kraeber.de|
|Feb 18, 2020||MV GOODLUCK berthing Call/PDA Request||Trojan:Win32/Wacatac.C!ml||"Shinsung Shipping CO. LTD" firstname.lastname@example.org||Target not disclosed.|
|Feb 18, 2020||Fw: RE : RE : URGENT!!! SHIPPING DOCUMENTS // MAERSK KLEVEN V.949E // CLGQOE191781 //||MSOffice/Agent.SS!exploit||A.P. Moller - Maersk. [mailto:email@example.com]||lottechem.my|
In the above collection we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we see a large percentage of these malicious emails attempting to deliver Wacatac, with the D variant showing up for the first time. Vessel names seen include “MV WAF PASSION”, and “MV OCEAN HERO” among others. One malicious email included in our report this week does not attempt to impersonate a vessel. However, it attempts to impersonate a Corona Virus advisory from the World Health Organization warning of vessels with infected crew.
An email was observed attempting to impersonate “MV OCEAN HERO” using a subject line of “MV OCEAN HERO : CTM DELIVERY”. According to maritimetraffic.com, this name is shared by a Singaporean Oil/Chemical tanker, a Panamanian general cargo carrier, and another general cargo ship sailing under the Hong Kong flag. It is unclear which, if any, the attackers were attempting to impersonate. Or, if they were simply trying to increase their chances of success with a recipient being familiar with the vessel name and opening the email.
Analysis reveals that the malicious email was sent to a recipient at the adsale-hk.com domain. Although this domain holds only a parking page hosted by Texas ISP Confluence Networks, it could be that the attackers were attempting to target adsale.hk.com, a Chinese trade media group.
The message contains an attached Excel spreadsheet identified by Microsoft as the Trojan:Win32/AutoitInject.BH!MTB malware. The message body contains a request Cash To Master services in the amount of $60,000 USD referencing an attached document for details. However, opening the attachment could activate the malware. The malware exploits the Auto-IT IT automation suite to perform actions on target. Historical Trojan:Win32/AutoitInject.BH!MTB samples have delivered ransomware and credential stealing payloads.
In another example, we see an email attempting to impersonate the vessel “MV WAF PASSION” using the subject line “MV WAF PASSION – PDA”.
The vessel name belonged to a Sri Lankan General Cargo vessel until October 5, 2019 when the name was changed to ZEA PASSION and then changed again to MERCS PASSION at an unknown time.
Analysis of the email headers show it was sent from a Chicago, Illinois IP address hosted by Unreal Servers to a recipient at the e1.co.kr domain hosted by South Korean ISP LG DACOM Corporation. E1 is a South Korean liquefied petroleum gas (LPG) importer that claims to control 50% of the country’s LPG imports. Interestingly, the message has a suspicious Reply-To email address (firstname.lastname@example.org) that is not affiliated with the impersonated sender.
An attachment titled “MV WAF PASSION.rar” is identified by Microsoft as “Trojan:Win32/Wacatac.C!ml”. This malware can “perform a number of actions of a malicious hacker’s choice on your PC.”
The subject line “CORONA VIRUS / AFFECTED VESSEL TO AVOID” suggests the message contains a list of vessels with infected crew. However, the message body provides guidelines and procedures for ships Masters to avoid crew infection. There are also numerous calls to action in the message body enticing recipients to open, fill out, and return the attached forms by email. The attached document, an Excel spreadsheet named “”CORONA VIRUS AFFECTED CREW AND VESSEL.xlsm” echoes the subject line in its promise to reveal affected (infected) crew and vessels. With the Corona Virus being a hot topic globally, this tactic could evoke an emotional response in the recipient causing them to open the message without looking closely for indications of a spoofed message, which could trigger the malware.Lastly, A malicious email was observed impersonating the World Health Organization (WHO), specifically Monika Kosinska, Project Manager at the WHO Regional Office for Europe. The email was sent from a Coventry, United Kingdom IP address hosted by Fat Shark, Ltd. (sharkservers.co.uk) to recipients at the ntu.edu.sg and portauthority.com domains. The domain ntu.edu.sg is owned by Nanyang Technological University, Singapore. The portauthority.com domain redirects to www.ports.com and resolves to a London, United Kingdom based IP address hosted by World News PTE. LTD.
Typically, the use of language is a good indicator of a spoofed message. Errors in grammar and punctuation can indicate a non-native English speaker originated a message. This is especially indicative when the attacker is trying to impersonate a sender who is expected to fluently speak and write the language. Overall, the use of language in this message is good, but on close inspection there are punctuation errors, capitalization errors, and slight phrasing issues throughout. These are errors that a former resident of the UK, Kings College graduate, and fluent English language speaker like Ms. Kosinska is unlikely to make.
Our Experts Say
Weekly Maritime Watchlist
Top 5 Malicious Maritime Email Senders
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.