"Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."
Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
First Seen |
Subject Line Used |
Malware Detections |
Sending Email |
Targets |
Jun 22, 2020 |
RE: PO 525 - Japanese Marine pump inquiry - DC project - Hong Ha shipyard (QE190912R00) |
TrojanSpy:MSIL/AgentTesla.AB!MTB |
m-kiire@naniwa-pump.co.jp |
netbloke.com |
Jun 22, 2020 |
Re: Request for Quotation - MV EVIAPETROL V TRADER |
Trojan:Win32/Ludicrouz.I |
"CHLOE LI" <sales@moton-electric.com> |
moton-electric.com |
Jun 22, 2020 |
CARGO ARRIVAL NOTIFICATION (TNT733918737WA): Confirm Shipping Address |
Trojan:Win32/Wacatac.C!ml |
TNT EXPRESS <aaabf0d@403.com> |
Targets Not Disclosed |
Jun 23, 2020 |
Coral Sea Computers Innisfail Pty Ltd - EFT_5569541 |
Trojan:Script/Foretype.A!ml |
02827@2bbab54951e607.com |
56213c7.au |
Jun 23, 2020 |
MV JIA YU SHAN/Calling lianyungang for discharging bauxite |
Trojan:Win32/Wacatac.C!ml |
"shipping@leleenterprise.com" <b948@00cde920583028.com> |
00cde920583028.com |
Jun 23, 2020 |
Re:Re:Re:Bulk cargo ship |
Trojan:Win32/CryptInject.SN!MTB |
= TXIuIFR1bmcgKOiRo+WFiOeUn++8iQ== = <f8c6b8b36f88@38d7805121302c8.com> |
de97a.com |
Jun 24, 2020 |
Re: //QUOTATION//Re: MV AANYA : REQ. |
Trojan:MSIL/AgentTesla.AE!MTB |
Victoria Perez <vperez@eldorado.com.uy> |
Target Not Disclosed |
Jun 26, 2020 |
MV DA TONG YUN VOY 45 TBN |
Exploit:O97M/CVE-2017-11882.ARJ!MTB |
PLATIN SHIPPING TRADING CO. / ISTANBUL<f7235a61f@3ae52877e0.net> |
ad2796f954db1a.com |
Jun 27, 2020 |
RE: Agency appointment for MV VENUS (VENUS/EST/054/20) |
Exploit:O97M/CVE-2017-0199.BK!MTB |
Vicky Lee <vickylee@shippingagency.cn> |
Target Not Disclosed |
In this week’s collec
Analysts observed subject line “RE: PO 525 - Japanese Marine pump inquiry - DC project - Hong Ha shipyard (QE190912R00)” being used in a malicious emails this week. “PO” is an abbreviation which is commonly used in malicious subject lines to indicate purchase orders. Purchase orders are so common among clients and vendors, that they are also a common disguise malicious use by email senders looking to spread malware.
This malicious email appears to have been sent by, “m-kiire@naniwa-pump.co.jp.” The signature contains a name “Maya Kiire” but their position at the company is unclear. Although this is the first time this user has been observed sending malicious emails, Red Sky Alliance has observed malicious emails being sent from the naniwa-pump[.]co[.]jp domain as far back as September 2019. It is common to see attackers leverage multiple employee accounts to commit cyber-attacks after they have infiltrated a company, or to impersonate multiple employees from the same company.
The message body is very short and implies a previous interaction, thanking the recipient for their “cooperation” and asking the recipient to see the “attached COO (Certificate of Origin) reflected your comment.” However, the COO being referenced is actually a malicious file compressed with GZIP. Once opened, the attachment would activate Trojan.Win32.VIGORF.C malware which has the ability to steal and exfiltrate sensitive victim information.
Analysts observed a malicious email subject line which was seen last week as well. The email listed as the sender "CHLOE LI <sales@moton-electric.com>” was seen sending a malicious email to the same targets last week. An email using the sender domain “info@moton-electric.com” appears in a Chinese directory and may belong to Jiangsu Muteng Auto Parts Co., Ltd. The signature in the email, however, is possibly from SMC Marine Management Pte Ltd and lists the email as “rifai@smcmarine.com.sg” further signaling the email is illegitimate. Red Sky Alliance has seen “rifai@smcmarine.com.sg” sending malicious emails since at least January 2020.
The message body of the email is also relatively short. It asks the recipient to “revert best quote attached MV Eviapetrol V Trader requisition” referencing the attached .cab file. Notably, the reply-to email address for the email is a generic Gmail account “hiscod76@gmail.com.” This email has been directly linked to a malspam campaign distributing AgentTesla malware. Attached to the email is a .cab file which, when decompressed, contains “DMQ0570718 MV EVIAPERTROL V.PDF.exe,” the malicious executable.[1]
In this case, the attackers identified Chloe Li as someone at Jiangsu Muteng Auto Parts Co., Ltd. and attempted to impersonate them. Attackers will often leverage one user on a network to send malware to an email address used by multiple parties, such as sales@moton-electric.com.
[1] https://bazaar.abuse.ch/sample/4811ffffcb93be6329a8b6653e78a0e84a5f08ec4a467184a8babdecd24eae7b/
Subject Line used |
Email Sender using Subject Line |
Times seen |
RE: PO 525 - Japanese Marine pump inquiry - DC project - Hong Ha shipyard (QE190912R00) |
“=KOyjvCnsp4TslYTsgrDsl4U==” <f0bead2@1c779a6.com> |
5 |
Re: Shipping documents for // ETD : 27th June 2020// |
"Cargo Gate International Ltd." <okkim@hari-mau.com> |
3 |
subject. |
BLG Cargo Logistics GmbH <andrey.kononenko@blg.de> |
3 |
Re: //QUOTATION//Re: MV AANYA : REQ. |
Victoria Perez <vperez@eldorado.com.uy> |
3 |
MV JIA YU SHAN/Calling lianyungang for discharging bauxite |
"shipping@leleenterprise.com" <b948@00cde920583028.com> |
2 |
These analysis results illustrate how a recipient could be fooled into opening an infected email. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to: