Tactical Cyber Intelligence Reporting
In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MT Pavino” and “MV GOLDEN PEARL” among others.
Analysts observed subject line “M/V Ocean Adventure – Fittings for Rescue Boat Repair” being used in a malicious email this week. The malware contained in this email is one of the most common pieces of malware observed by analysts across all industries.
The email sender is listed as “li <firstname.lastname@example.org>.” The sending email address does not appear to be registered to any legitimate company, and the domain (eliteomar[.]com) is listed on a defacement website indicating that the webhost was hacked by an Indonesian hacking team – “Indonesian Cyber Jawa”. The email signature shows the sender’s name is “Kelvin Li” and lists two maritime companies – ATN Marine and Trading Co., LTD & ARC Marine Services Co.,LTD. Notably, the mailing address listed in his signature is not registered to either company. A more legitimate email email@example.com is listed in the signature as well so it is unclear why this user would be sending emails from the “firstname.lastname@example.org” address.
The targeted recipient of this email is an International Technical Marine Sales agent for Fuji Trading (Marine) B.V. which is a “world leader in marine supply” located in The Netherlands. There is no clear connection between Fuji Trading (Marine) B.V. and ATN or ARC Marine. Hans’ email does not appear to be listed publicly anywhere online.
The malware in this email is contained in a malicious .doc attachment titled “103 SWIFT 13-05-20.doc.” When opened, the victim would activate HEUR:Exploit.MSOffice.Generic malware. This malware exploits a MS Office memory corruption vulnerability (CVE-2017-11882), often downloading a malicious file disguised as an audio driver (%Application Data%audiodrvrdll.exe).
Analysts observed another malicious email containing the subject line used last week, “Amended P.O 28602 / Hebei Ocean.” The email was sent from “Hebei Ocean Shipping Agency Ltd.<email@example.com>.”
The sender email domain appears to be registered to the Hebei Ocean Shipping Agency domain “hoscoagency.com.” As there is no company website. Analysts are unable to verify the legitimacy of the sending domain but have low confidence that the domain is in fact owned by the shipping agency. The sending email address was associated with a separate malicious email posted on a spam-email website and does not appear to be a deliverable email address.
The targets were not disclosed in this email making it difficult to conclude the attackers intentions, but the malicious file attachment:
“PURCHASE ORDER 28602.gz” contains HEUR:Backdoor.Win32.Androm.gen” malware. The file contains backdoor malware which makes registry and file changes to gain a foothold on the victim’s device. Kaspersky claims that approximately 25% of this malware’s victims are in either Germany or Russia.
These analytical results illustrate how a recipient could be fooled into opening an infected email. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.