Dryad and cyber partners RedSkyAlliance continue to monitor attempted attacks within the maritime sector. Here we continue to examine how email is used to deceive the recipient and potentially expose the target organisations.
"Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."
Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Those who work in the security industry can quickly identify the suspicious aspects of these emails, but the targets often cannot. Even if attackers can only get 10% of people to open their malicious email attachments, they can send thousands out in a day using similar templates resulting in hundreds of victims per day. They can also automate parts of this process for efficiency. It is critical to implement training for all employees to help identify malicious emails/attachments. This is still the major attack vector for attackers looking to attack a network. These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
Malicious Email collection 8 Feb- 4 Mar 21
First Seen |
Subject Line Used |
Malware Detections |
Sending Email |
Targets |
Feb 8, 2021 |
MV AQUA SPLENDOR // PORT AGENCY APPOINTMENT |
Trojan:MSIL/AgentTesla.MTR!MTB |
"Jason Ho ISS-China" Jason_Ho@iss-shipping.com |
iss-shipping.com |
Feb 8, 2021 |
WG: 52196719 - Feuerschaden Erbengemeinschaft Scheu, Neuweiler\r\n Straße 190, 72461 Albstadt - 18513/ms-msc |
HEUR:Trojan.MSOffice.SAgent.gen |
“Monja Schmitt - THEES+PARTNER Beratende Ingenieure PartGmbB” monja.schmitt@thees.de |
thees.de |
Feb 8, 2021 |
MV CAPE SUN-CTM ENQUIRY UMSD49, 000 - AGENT ARRANGEMENT with ETA 26-Jan-20210 |
PWS:MSIL/DarkStealer.AD!MTB |
“Huang Feizhou” sscrm@cmhk.com
|
cmhk.com |
Feb 8, 2021 |
PDA REQUEST |
Program:Win32/Wacapew.C!ml |
“Iliyan Stoyanov INTERTRANS” caf9@dec.com |
7925b11e0f.com |
Feb 9, 2021 |
REQUEST FOR TRANSFER OF CONTAINER NO FFAU6279595510 |
TrojanDownloader:O97M/Powdow.SWM!MTB |
support@tuchalsadikhairhai.digital |
ilfa.de |
Feb 9, 2021 |
RE: Documents Attached for New Sea Shipment//Nastah FCL//20-21/MIL/238 |
Trojan:MSIL/AgentTesla.KO!MTB |
“Mit_freundlichen üß.” 10658788@thyssenkrupp.com |
Targets Not Disclosed |
Feb 9, 2021 |
Re: RE: DOORMOVE CONTAINER QUESTIONS MBL SMLMSEL0F0333200 CTNR CAIU6468623 |
TrojanDownloader:O97M/Qakbot.RVC!MTB |
huseyin.donmez@inanplastics.com |
smlines.com |
Feb 9, 2021 |
Re: SMQT2006E // HAZMAT CARGO -SEL0D0126700 REMINDER *** // USSEA |
TrojanDownloader:O97M/Qakbot.RVC!MTB |
plapointe@camionsdenislussier.com |
smlines.com |
Feb 9, 2021 |
Ocean Freight Payment Notification Of 01_27_2021 |
TrojanDownloader:O97M/Dridex.SS!MTB |
postmaster@vince.com |
mail-relay.msc.com |
Feb 10, 2021 |
RE: Documents Attached for New Sea Shipment//Nastah FCL//20-21/MIL/238 |
TrojanDownloader:O97M/Qakbot.RVC!MTB |
plapointe@camionsdenislussier.com |
smlines.com |
Feb 10, 2021 |
INQUIRY - RIO DE JANEIRO PORT - ETA: 19/12 |
TrojanDownloader:O97M/Dridex.SS!MTB |
postmaster@vince.com |
mail-relay.msc.com |
Feb 10, 2021 |
Re: TOP URGENT MAERSK DELIVERY |
Trojan:Win32/Ymacco.AA8E |
"Maersk Line" office@anthonyveeder.com |
anthonyveeder.com |
Feb 15, 2021 |
[***SPAM*** Score/Req: 08.10/4.4] MAERSK: FINAL PRE-ALERT |
Trojan:MSIL/NanoBot.D!MTB |
“Maersk Notification” 6973711596@xcar.gr |
help.mdaemon.com |
Feb 15, 2021 |
Re: Maersk Booking Confirmation |
Trojan:Win32/AgentTesla!ml |
"Maersk Booking Service" mail@trtox.ml |
trtox.ml |
Feb 15, 2021 |
status of shipment - shipping documents Air/Sea Logistics |
Trojan:Win32/Azorult!ml |
“Vinay Kashyap (DHL)” 60962@f7203790b.in |
60a459f1d8.com |
Feb 16, 2021 |
Re: Maersk Booking Confirmation |
Trojan:Win32/AgentTesla!ml |
"Maersk Booking Service" mail@trtox.ml |
trtox.ml |
Feb 16, 2021 |
VSL: MV FORTUNE TRADER - ORDER: TKHA-K77180011B |
Exploit:O97M/CVE-2017-11882!MTB |
"Nguyen Quang (Mr)" ops@vosavungtau.com |
Targets Not Disclosed |
Feb 17, 2021 |
mv Ina-Lotte - agency appointment |
Exploit:O97M/CVE-2017-11882.ST!MTB |
“Solar Operations” operations@solar.ru |
alvargonzalez.com |
Feb 22, 2021 |
RE: Longstanding Container(s) : 204103842 |
Trojan:Win32/Woreflint.A!cl |
“Thulasi M” dgf.sg.payableinvoices@dhl.com |
dhl.com |
Feb 22, 2021 |
RE:JOB NO: 16280-81-82-83-84-85-86 INV. & P. LIST OF NO.2022499 EQ to 2022505 EQ, FOB BY SEA, TOTAL 81+48+28+8+27+32+17 = 241 CARTONS, PORT: HAMBURG BOOKING FORM//4730-0220-102.056 |
Probably Heur.W97Obfuscated |
"Manoj Salve" 5e81f@d375ba752c.com |
5c621a8c5270.com |
Feb 22, 2021 |
[External]SHIPPING DOCUMENTS / NAT-UVA 0057 / CONTAINER. MNBU7168737 |
Trojan:MSIL/Stealer.DR!MTB |
info2@alliance22.ru |
sunchemical.com |
Feb 24, 2021 |
Arrival notice (Sea shipment * Air shipment: Shipping invoice, B/L, CI, |
Trojan:HTML/Phish.MTL!MTB |
"DHL - Info (DHL/Delivery/Worldwide@dhl.com)" 96f935c3f27@e86c3e2a1.com |
4c6e28732812.com |
Feb 24, 2021 |
Arrival notice (Sea shipment * Air shipment: Shipping invoice, B/L, CI, |
Trojan:HTML/Phish.MTL!MTB |
"DHL - Info (DHL/Delivery/Worldwide@dhl.com)" 96f935c3f27@e86c3e2a1.com |
e948985d9c1.org |
Feb 24, 2021 |
Arrival notice (Sea shipment * Air shipment: Shipping invoice, B/L, CI, |
Trojan:HTML/Phish.MTL!MTB |
"DHL - Info (DHL/Delivery/Worldwide@dhl.com)" 96f935c3f27@e86c3e2a1.com |
e948985d9c1.org |
Feb 24, 2021 |
Arrival notice (Sea shipment * Air shipment: Shipping invoice, B/L, CI, |
Trojan:HTML/Phish.MTL!MTB |
"DHL - Info (DHL/Delivery/Worldwide@dhl.com)" 96f935c3f27@e86c3e2a1.com |
e948985d9c1.org |
Feb 24, 2021 |
Arrival notice (Sea shipment * Air shipment: Shipping invoice, B/L, CI, |
Trojan:HTML/Phish.MTL!MTB |
"DHL - Info (DHL/Delivery/Worldwide@dhl.com)" 96f935c3f27@e86c3e2a1.com |
e948985d9c1.org |
Feb 25, 2021 |
Mv AOM Julia // Arrival Notice |
Trojan:Win32/Tiggre!rfn |
Kelly Chen 3d25e@6811913.com |
Targets Not Disclosed |
Feb 25, 2021 |
Today Vessel LineUp |
Trojan:MSIL/AgentTesla.AM!MTB |
“Vessel Update” 9b8d58b51c58028@5b60b2e1a7419c3c6.br |
30718da8.eg |
Feb 25, 2021 |
DOHA PORT RE-DEVELOPMENT PROJECT-CONSTRUCTION OF SPORTS MARINA AND\r\n CONTAINER PARK WORKS |
Trojan:PDF/Phish!MSR |
“Abdelnaser Abu-Eshtayya” 4707b443c2@955497607.com |
955497607.com |
February 26, 2021 |
Booking of 1x20\' container against Invoice No. SDE/20-20/12 |
Trojan:MSIL/Kryptik.ST!MTB |
“Celly Cui (DHL CN)” celly.cui@dhl.com |
electroputere.ro |
Mar 1, 2021 |
Re: DHL Cargo Delivery |
Trojan:Win32/Woreflint.A!cl |
“DHL Express Cargo” NoReply.ODD@dhl.com |
Targets Not Disclosed |
Mar 1, 2021 |
Freight Payment Notification Of 03_01_2021 |
TrojanDownloader:O97M/Dridex.ARJ!MTB |
“MSC MEDITERRANEAN SHIPPING COMPANY (USA) INC.” <Jaden.Nicholson@msc.com> |
asmodei.net |
Mar 1, 2021 |
[!!Spam]Ocean Freight overdue invoice Of 03_01_2021 |
TrojanDownloader:O97M/Dridex.ARJ!MTB |
“MSC MEDITERRANEAN SHIPPING COMPANY (USA) INC.” Jaden.Nicholson@msc.com |
asmodei.net |
Mar 1, 2021 |
Ocean Freight Payment Notification Of 03_01_2021 |
TrojanDownloader:O97M/Dridex.ARJ!MTB |
“MSC Inc.” Bernard.Burton@msc.com |
backhaus-kutzer.de |
Mar 2, 2021 |
Ocean Freight Payment Notification Of 03_01_2021 |
TrojanDownloader:O97M/Dridex.ARJ!MTB |
“msc.com” Nathaniel.Law@msc.com |
mayhew.com |
Mar 2, 2021 |
***SPAM*** Freight Payment Notification Of 03_01_2021 |
TrojanDownloader:O97M/Dridex.ARJ!MTB |
“MSC Inc.” Raul.Wright@msc.com |
carou.eu |
Mar 2, 2021 |
PORT INFO - M/V SOHO TRADER LOADING 55,000 MT OF STEAM COAL |
Trojan:Win32/Wacatac.B!ml |
“FLAME SA” caf9@00a255c.ch |
dfb80f1afb.net |
Mar 3, 2021 |
MAERSK LINE STATEMENT OF ACCOUNT 05 MAR 2020 |
HEUR:Backdoor.Win32.Androm.vho |
“Chen” yan.chen@maersk.com |
cmlog.com |
Mar 3, 2021 |
GRANDE APOLLONOS (Ro-Ro cargo) APPAREILLAGE-MYCONOS-GREECE |
Trojan:Win32/Lokibot.SMC!MTB |
“Business Development Officer” ranjan@navi-visaglobal.com |
Targets Not Disclosed |
Mar 4, 2021 |
MULTIMAX TBN - PORT INQUIRY FOR DISCHARGE |
Trojan:MSIL/Stealer.DR!MTB |
"mpp.ops@hsshpg.com" mpp_ops@hsshpg.com |
hsshpg.com |
Mar 4, 2021 |
MV RELIANCE/AGENCY APPOINTMENT |
Trojan:Win32/Wacatac.B!ml |
“FORTUNE STAR SHIPPING PTE LTD” hello@sgpbusiness.com |
visionit.com |
Mar 4, 2021 |
[DHL] SC# 84979926 Cargo Delivery |
Trojan:MSIL/Kryptik.VC!MTB |
“Anunayi Kumari Kar {DHL}” Procurement_Help_IN@dhl.com |
electroputere.ro |
In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV Soho Trader” among others. Red Sky Alliance has been monitoring a continuous campaign in which threat actors are impersonating the Mediterranean Shipping Company (MSC) while spreading Dridex malware through malicious email attachments. The attackers are re-using TTP’s to target numerous different targets around the globe in a variety of industries.
Beginning at the end of January, analysts began observing these malicious emails and since then have continued to see the same tactics used multiple times. While it appears, the attackers are spoofing MSC employees at this time, analysts are also monitoring for any malicious emails which appear to be sent by an MSC account which has been taken over.
Although the company was hit by a significant cyber attack last year, Red Sky Alliance is unable to identify any connections between the impersonation campaign and last year’s MSC outage. Red Sky Alliance has not received a response yet from the company regarding these impersonation attacks, but analysts expect that at least some of the targeted businesses use the shipping as part of their supply chain.
The most recent emails follow the exact same patterns analysts have observed since January. These attackers will impersonate MSC employees which do not exist, according to open-source data. They continue to use dozens of unique aliases but not one of the sending emails is seen in open source; indicating that the attackers are using alias names. However, they appear to be using the proper sending email format (first.last@msc[.]com) which shows they have done some measure of reconnaissance on the company.
Commonalities between these emails remain the same:
The malicious email attachment titled “Statement_as_of_(DD_MMM_YYY).xlsm” is an updated version of the file reported in last week’s maritime report (WR-21-032-006). Note the .xlsm file extension. This indicates that the spreadsheet will open in Excel with Macros enabled (used to activate the malware).
Figure 4 - Malicious .xlsm attachment Open in Excel
In 2021, Red Sky Alliance has already observed supply chain attacks. Maritime employees should be suspicious of any emails using generic greetings such as “Dear Valued Customer” or generic email signatures such as “Credit and Collections Dept.” If attackers are eventually able to bypass webmail filters, their malware is likely to infect at least one unsuspecting user who is curious about the “redacted” email they just received or concerned about an “overdue balance” that they do not owe.
If the targets were to activate this malware on their systems, they would infect their machines with Dridex malware. This malware, which was first observed in 2011, can install other malicious modules on the system. It has also been used to install ransomware on a company network (typically BitPaymer or DopplePaymer). The malware is flexible and has the ability to perform numerous actions under the direction of a command and control server. One of the more interesting aspects of these attacks is the variety in the targeted companies. These attackers are targeting companies across various industries such as manufacturing, entertainment/gaming, and technology.[1] Ransomware - malware
These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to: