"Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."
Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
First Seen |
Subject Line Used |
Malware Detections |
Sending Email |
Targets |
Jul 11, 2020 |
Quote # 5780 -LCL-AS/PO/- PR#61007114 |
Exploit:O97M/CVE-2017-11882.PRT!MTB |
“Ushasiam” <samran@ushasiam.com> |
safeguard-technology.com |
Jul 11, 2020 |
Arrival Notice of B/L SURRENER#MEDUMH113885 on Maersk received |
HTML/PhishMaersk.E!tr |
"Maersk Line" <A1sclsGrI1mGQPUHzl6C4@smt.wirebag.jp> |
anquimico.com |
Jul 13, 2020 |
MV TBN CALL PORT FOR LOADING COAL |
Trojan:MSIL/AgentTesla.Z!MTB |
"acct@fiveocean.co.kr" <c4b8@5afba77d.net> |
5afba77d.net |
Jul 13, 2020 |
Fw:RE:FW: Air shipment port, details - PO: tbd2218728 |
TrojanSpy:Win32/Swotter.A!bit |
“Ramses Abdul” <importacao@newimportexport.com.br> |
largan.com.tw |
Jul 13, 2020 |
MV PRABHU SAKHAWAT NOMINATION |
HEUR:Trojan-Downloader.Script.Generic |
“Sunnytrans Co., Ltd” <caf9@836c5b73a000f8.vn> |
a694174ef.com |
Jul 13, 2020 |
MV Hazel Carina |
Exploit:O97M/CVE-2017-8570.BBE!MTB |
"Rosa Mora" <72964@1aaba1368d.com> |
a694174ef.com |
Jul 13, 2020 |
[*** FRAUD ***] ARRIVAL NOTICE //MV CARIBE ANGELA// 20AMBSIN007127 |
MSOffice/CVE_2017_0199.A!exploit |
"SK SHIPPING CO., LTD." <jdmoon@skshipping.com> |
Targets Not Disclosed |
Jul 13, 2020 |
Maersk Notification_Shipment /FCL/LCL/Delivery Report, CI, |
TrojanDownloader:O97M/Obfuse.YI!MTB |
“Amit Bhardwaj / DEL IS” <6bfe21d@9e555352b66.sa> |
Targets Not Disclosed |
Jul 13, 2020 |
INVOICE USA EXPORT SEA SHIPMENT LIST |
Trojan:Win32/Wacatac.C!ml |
“Ariadna Ortiz” <info@decentlogistics.com> |
decentlogistics.com |
Jul 13, 2020 |
MV PRABHU SAKHAWAT APPOINTMENT |
Trojan:Script/Foretype.A!ml |
“Wilhelmsen Ships Service” <aece0dd0bc09c8@d8b31b9ec9.com> |
ad2796f954db1a.com |
Jul 13, 2020 |
MV 18,800 Mt cotton woven garments |
Trojan:Script/Oneeva.A!ml |
“Ian Cummings” <6a51e90aba77@08a4e5416ef8.com> |
a694174ef.com |
Jul 13, 2020 |
Vessel Particulars |
Exploit:O97M/CVE-2017-8570.BBE!MTB |
“MIDEAST-YEMEN SHIPPING CO.LTD” <0bb6eab@c4764a046be66e.com> |
a20ccf53babe3e.com |
Jul 15, 2020 |
SEA, ETD:JUNE 12,2020 |
Trojan:Win32/Ymacco.AA81 |
“=Ikhvw6BuZyBMb25nIg===” <hoanglong.dkhanoisb@gmail.com> |
dsec.co.kr |
Jul 15, 2020 |
RE: Arrival Notice For BL - 120910126192 / Vessel - MV Crystal BAY / |
Exploit:O97M/CVE-2017-0199!MTB |
“Microsoft Outlook” <MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@almadinatakaful.onmicrosoft.com> |
almadinatakaful.com |
Jul 16, 2020 |
Cargo already came to the seaport. |
TrojanDropper:O97M/Powdow.J!MTB |
info@demo97.hu |
tti-emea.com |
Jul 17, 2020 |
PDA Query - 180397-06-29-20 Port Agency Appointment |
Exploit:O97M/CVE-2017-11882.AT!MTB |
PDA-screeners <d390ee0864f9f@c105918.com> |
30718da8.eg |
Jul 17, 2020 |
Request for Quotation ( Port Project) - (LOI Ref: P.O3K60687QR2020) |
Trojan:MSIL/AgentTesla.MK!MTB |
Ahmad Alkhodari <Ahmad.alkhodari@metalyapi.com.tr> |
Targets Not Disclosed |
Jul 17, 2020 |
[***SPAM*** Score/Req: 04.70/4.4] OFFICAL ARRIVAL NOTIFICATION - MV STELLAR WALVIS BAY VOY 028E / BILL\r\n OF LADING - ETA 2020/07/17 |
PWS:Win32/Fareit.AQ!MTB |
MAERSK-LINE <Maersk@jeragh-lighting.com> |
maersk.com |
Jul 17, 2020 |
Mv Arkadiy Chernyshev/Call for disch logs 8000cbms |
Trojan:MSIL/Formbook.MK!MTB |
"HOSCO AGENCY(YMS)" <agencyqhd@hoscogroup.com> |
hoscogroup.com |
Subject Line used |
Email Sender using Subject Line |
Times seen |
RE: Arrival Notice For BL - 120910126192 / Vessel - MV\r\n Crystal BAY / Voyage - 19014S |
\"SK SHIPPING CO., LTD.\" <jdmoon@skshipping.com>\r |
9 |
Maersk Notification_Shipment /FCL/LCL/Delivery Report, CI, |
Amit Bhardwaj / DEL IS <6bfe21d@9e555352b66.sa> |
5 |
PDA Query - 180397-06-29-20 Port Agency Appointment |
"PDA-screeners"<d390ee0864f9f@c105918.com> |
4 |
MV TBN CALL PORT FOR LOADING COAL |
\"acct@fiveocean.co.kr\" <c4b8@5afba77d.net> |
3 |
INVOICE-09.10.17 |
Maersk | Integrated Container Logistics & Supply <90ab0@12d584044.pk> |
3 |
In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV TBN” (To Be Named) and “MV Arkadiy Chernyshev” among others. “MV Arkadiy Chernyshev” has been observed in malicious email subject lines as far back as December 2019. Collections data also continues to show “Ushasiam <samran@ushasiam.com>” sending malicious emails to recipients at safeguard-technology. It is unclear if the attacker is automating the sending of these emails as all the header information (sender, recipient, subject line, malware sent, etc.) remains the same. The domain is to Usha Siam Steel Industries and is the largest wire rope manufacturer in Thailand, so these attacks are likely to continue.
As with last week, analysts observed the same motor vessel being used in two unique subject lines - “MV PRABHU SAKHAWAT NOMINATION” and “MV PRABHU SAKHAWAT APPOINTMENT.” This vessel is currently sailing under the Indian flag from Japan to Indonesia. The main difference between these subject lines and the two used last week is that the sender is unique for each subject line. Each subject line is also used to target a unique victim.
The first malicious email impersonates Wilhelmsen Ships Service which claims to have the world’s largest maritime services network. When it comes to developing a positive business plan, having a massive network is great. However, having an expansive network means you have much to protect. The second email sender identifies himself as Sunnytrans Co., Ltd. Both companies are part of the Wilhelmsen Sunnytrans Co., Ltd joint venture between Wilh. Wilhelmsen of Norway and Sunny Transportation of Vietnam.[1]
As seen below, there are a few key points to compare and contrast the malicious emails that were sent. One malicious email uses the term “appointment” instead of “nomination” in the subject line, but it is also notable that the names of the attached files are unique. Both emails contain 1 malicious MS Excel and 1 malicious MS Word file attachment. In the “nomination” email, the attacker uses the vessel name in the Word filename and the term “VSSL” (often an abbreviation of vessel) in the Excel filename. These are both files that attempt to disguise themselves as legitimate business documents. The “appointment” email, however, uses filenames that do not give any description of what is contained inside (“0000272277272.xlsm” and “DOCX.doc”). This type of activity likely indicates a group of attackers instead of one individual sending separate emails.
CVE-2017-11882 remains as one of the most common exploits seen in Red Sky Alliance collections. While there is a security update available to mitigate this risk, the attackers in this case attempt to exploit this vulnerability with the attached MS Word documents. They may have had unique filenames, but both .doc attachments contained Exploit:O97M/CVE-2017-8570.BBE!MTB malware. This malware can act on behalf of the victim with the same permissions as the current user. In other words, if a victim is signed into a user account with escalated privileges, then the attacker would obtain that same access.
Analysts observed another malicious email which was identified as spam by a email filter “[***SPAM*** Score/Req: 04.70/4.4] OFFICAL ARRIVAL NOTIFICATION - MV STELLAR WALVIS BAY VOY 028E / BILL\r\n OF LADING - ETA 2020/07/17.” The obvious question becomes “who in their right mind would open an email clearly labeled as ‘spam’ by a webmail filter?” One would argue that any untrained employee might open this email if they found the rest of the subject line interesting enough.
Although a company like Maersk likely has a strong cybersecurity infrastructure in place, especially after NotPetya in 2017, this is a prime case study of an impersonation attempt. The attacker impersonates Maersk while targeting employees at the company. This is a common tactic that bad actors use while targeting a company. In this case, a user may see that the subject line says spam, but the sender header says it is from “Maersk” and open the email anyway.
The sender uses the alias “MAERSK-LINE” but the sending address is “Maersk@ jeragh-lighting[.]com.” There is a website registered to that domain (jeragh-lighting[.]com) for a lighting company in Kuwait. It is possible this is an email which is used for communications specifically between Jeragh Lighting and Maersk. What is also unclear is if the email is a legitimate email that was taken over by an attacker or if this account was specifically created to commit attacks against Maersk. The sender was targeting the customer care email at Maersk.
The message body contains a Maersk logo and appears professional. The sender signs the email as “Roy Jones, Customer Service, Caribbean Third Party Agents-Guyana” and references an attached “Official Arrival Notification and Bill of Lading copy” PDF. The attached file is not actually a PDF, however.
The attached file is an image named “MAERSK_BILL OF LADING_910727869.pdf.img.” Even though the file name contains “pdf” it is actually a .img file containing PWS:Win32/Fareit.AQ!MTB malware. Fareit malware, originally discovered in 2012, routinely undergoes changes in its code to bypass antivirus and IPS detection. According to TrendMicro, its most common routines include:
While many people are trying to manage the shifting cyber landscapes of 2020, attackers continue to use tried and true malicious TTP’s. Tactics such as disguising email senders, filenames, and other parts of an email message may be partially aimed at bypassing technological filters, but they are mostly aimed at tricking the person reading the email. If you can get a malicious email to a user with escalated privileges, it may get flagged as malware, but often the human can override that alert and activate the malware anyway. This may sound foreign to those trained in cyber, but how much do you think a business employee cares about their privilege level or AV alert when they are in a rush to download a client file/request? A better question is how much are you willing to bet on your employees’ level of awareness?
[1] http://sunnytrans.com.vn/san-pham/41/liner-logistics.html
[2] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/fareit
These analysis results illustrate how a recipient could be fooled into opening an infected email. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to: