Tactical Cyber Intelligence Reporting
In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV EVIAPETROL V” and “MV XIU SHAN” among others. “Maersk Kleven” was used again this week. This vessel is currently flying under the Liberian flag and is a Hazard A (major) cargo ship. It is currently headed from Charleston, US to Algeciras, Spain.
Analysts observed subject line “RE: MV WESTERN TOKYO 62,647DWT / LOADING CLINKER – REQUEST FOR PDA” being used in a malicious email this week. The MV Western Tokyo is a bulk carrier currently sailing under the flag of the Philippines. The carrier is in port at WAFR – Gulf of Guinea.
This email message was sent from “firstname.lastname@example.org” which is likely owned by San Nikolla Shipmanagement S.A. While the company is headquartered in Albania, the sender appears to be located in Greece, based on the .gr sending domain and the phone numbers provided in the email signature. There is a web portal login located at “san-nikolla[.]gr” and the address and phone numbers in the email signature appear to be linked to the real San Nikolla Group. The san-nikolla[.]gr “site is down for maintenance.”
The message body contains a request for a PDA (Profoma Disbursement Account). As with many malicious emails, the greeting is generic “GOOD DAY DEAR SIRS” and the message contains an attached .xlsx file named “WESTERN TOKYO vessel description 201907 CoA.xlsx.” When opened, this spreadsheet would activate Trojan:Win32/Vigorf.A malware. This malware has the ability to download, install, and communicate with other malware. It also has the ability to steal and exfiltrate sensitive information from the victim’s device.
Analysts observed another malicious email which appears to impersonate the M/V BBC Congo. The malicious email subject line used is “M/V BCC CONGO – Port Agency Appointment.” Although there were no results found for the “M/V BCC Congo,” there is an active general cargo ship sailing under the flag of Antigua Barbuda named “BBC Congo.” The actual BBC Congo is currently on a voyage from China to Korea. The email states the ship will discharge between 22-25 June so it is possible the email is referencing a new vessel.
The sending email “operation@inter-trans[.]co” does not appear to be registered to any legitimate company or listed on any company website. The inter-trans[.]co domain leads to a Roundcube login port with Bulgarian text saying “Welcome” and offering a user/password field.
The sender, according to the email signature is Capt. Gultekin Ozturk, the “Managing Director,” but does not identify the name of the company. He leaves his Skype, email, and phone contacts, as well as an address based in Turkey.
With the email written in English and the sender based in Turkey, the attached spreadsheet “vsl MV BCC CONGO.xlsx” is written in Chinese text. One of the more unusual aspects of the email is the target email address “email@example.com.” This email is owned by the International Sales and Marketing Coordinator for Compass Publishing, which is a Florida, US-based publishing company. The target does not appear to have any relevance to the maritime industry or the BBC Congo specifically.
When the victim opens the attached spreadsheet, they are actually activating Exploit:O97M/CVE-2017-11882.L malware. This malware is one of the most common exploits seen “in the wild.” It takes advantage of a memory corruption vulnerability in Microsoft Office products. This allows attackers to extract sensitive and private information from the victim’s device. If successful, an attacker could steal proprietary information from the publishing company. They would also be able to commit impersonation attacks with insider information