Dryad and cyber partners RedSkyAlliance continue to monitor attempted attacks within the maritime sector. Here we continue to examine how email is used to deceive the recipient and potentially expose the target organisations.
"Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry."
Dryad Global's cyber security partners, Red Sky Alliance, perform weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Those who work in the security industry can quickly identify the suspicious aspects of these emails, but the targets often cannot. Even if attackers can only get 10% of people to open their malicious email attachments, they can send thousands out in a day using similar templates resulting in hundreds of victims per day. They can also automate parts of this process for efficiency. It is critical to implement training for all employees to help identify malicious emails/attachments. This is still the major attack vector for attackers looking to attack a network. These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
Malicious Email collection 5 - 12 Dec 2020
First Seen |
Subject Line Used |
Malware Detections |
Sending Email |
Targets |
Dec 05, 2020 |
Fw: Re: FW: Re: FW: Re:FW:Fw: MV AGONISTIS - NO OERATION OF AMS WORKSTATION\r\n 1 |
HEUR.ExecInMail |
technical@aegeanbulk.gr |
dex.co.kr |
Dec 05, 2020 |
[***SPAM*** Score/Req: 06.0/4.6] RE : URGENT!!! 2 x 20ft - SHIPPING DOC BL, SI, INV#462345 // MAERSK KLEVEN V.949E // CLGQOE191781 // |
Trojan:Win32/Ymacco.AAE4 |
“A.P. Moller – Maersk” operations@gmail.com |
motion-labs.com |
Dec 07, 2020 |
MT SARANGA / PDA Cost and Restrictions for Dongguan and Lianyungang / V202101 URGENTLY NEEDED !!! |
MSIL/Kryptik.YSN!tr |
“Dora Miao” accounts@primeoceanic.com |
benline.com.cn |
Dec 07, 2020 |
[SPAM] Freight Statement Of Outstanding As Of 12_11_2020 |
VBA/Agent.VAV!tr |
Kiana.Giles@msc.com |
azmodan.net |
Dec 09, 2020 |
RFQ 00068643 New Order Shipment to Jebel Ali Port UAE |
Trojan:Win32/Woreflint.A!cl |
“3D MIDDLE EAST LLC” 2f8a6bf@7ef5c2d9.xyz |
cf787.in |
Dec 09, 2020 |
FW: Freight Statement Of Outstanding As Of 12_07_2020 |
Trojan-Downloader.O97M.Dridex |
"Stephen R.G. Smarook" 3da2@4c96cf5471f9.com |
dfd.gov, 6d900d381.com, d5306eaeadf28f.com, f64419f3.it, e42.com, 7b06338358.jp, 22940.com, aff1893a9c4de.it, 1a0ce4571e8e.com, cdc1bf077133.com, cdc1bf077133.com, 5d21da6df85eeab545.com, 23b4a31.net, 09c21ee5a5705fba.net |
Dec 09, 2020 |
Freight Statement Of Outstanding As Of 12_07_2020 |
TrojanDownloader:O97M/Dridex.DR!MTB |
Dante.Parker@msc.com |
pcpursuit.com |
Dec 10, 2020 |
FW: I \\ M. Oil/ Chemical - M.t Pvt Sealion for sale |
Malware |
“Mark Mirosevic-Sorgo” MSorgo@quincannon.com.sg |
quincannon.com |
Dec 10, 2020 |
RE: Shipping FOB EXW /CIF Incoterm-checklists Inv PL FCL/LCL |
Trojan:Win32/Wacatac.B!ml |
“Sumaiyya Documentation Associate - Maersk SCM” shippingrobots@bwrobotlcs.com |
gechter.com |
Dec 10, 2020 |
status of shipment - shipping documents Air/Sea Logistics |
Trojan:Win32/Wacatac.B!ml |
“Rahul Bhatia” shippingrobots@bwrobotlcs.com |
gechter.com |
Dec 10, 2020 |
UAE ORDER ZANZIBAR PORTS FINAL DESTINATION FOR IMPORTS |
Trojan:Win32/Woreflint.A!cl |
“AHMAD” <3bf5653afad@cc83d90db38aa6df313b6.com> |
Targets Not Disclosed |
In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV PVT Sea Lion” and “MT SARANGA” among others.
Analysts observed malicious subject line, “Freight Statement Of Outstanding As Of 12_07_2020” used this week. This email leverages a few techniques to get the targeted users to open the malicious attachments.
The sender of the malicious email appears to have been sent from “Dante.Parker@msc.com”. Open-source data does not show anyone with that name or email address working for the company, so it is likely that this email address is spoofed. It should be noted that msc.com is owned by Mediterranean Shipping Company (MSC) which was the victim of a cyber-attack earlier this year. Attackers often impersonate large companies such as Maersk, CMA CGM, MSC, and others to raise the level of trust that victims have when opening malicious email attachments/links.
The target of the malicious email in this case is an employee at PC Pursuit. This company (which dissolved in 2018) protected digital assets by preventing people from logging into computers unless they were physically in the building. Specifically, the attackers were targeting the founder of the company. It is unclear if the founder is still using this email address since the company has closed, but pcpursuit.com is not an active website at this time.
As is the case with the majority of malicious emails, this email uses a generic “Dear Valued Customer” greeting. The email signature is generic as well – “Credit and Collections Dept” whereas most professional email signatures contain the specific name of the email sender (which would be Dante Parker in this case). The email claims that there is an overdue bill that needs to be paid which creates a sense of urgency. Interestingly, the email also provides a bank account to transfer money to, which is unique.
The malicious attachment “MSC printouts of outstanding as of 73155_12_09_2020.xlsm” contains TrojanDownloader:O97M/Dridex.DR!MTB malware. This malware is part of the Dridex family of malware. This banking trojan first appeared in 2011 but analysts have seen an increase in the use of this malware over the past year. Dridex communicates with a command & control (C2) server, sends information about the infected host, and can also download and execute additional modules.
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to: