Maritime Cyber Security & Threats May 2020 Week Three

Dryad Global’s cyber security partners, Red Sky Alliance, perform weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

Tactical Cyber Intelligence Reporting

Search:

First Seen	Subject Line Used	Malware Detections	Sending Email	Targets
May 18, 2020	RE: MT OCEAN CHEMIST / V.2004B / DUE SINGAPORE OR TANGJUNG PELEPAS,rn MALAYSIA FOR LOADING – AGENT APPOINTMENT	Trojan:Win32/Wacatac.C!ml	“Platinum Marine Bunker Co. Ltd.” caf9@3cabc1a5e50699.com	Targets Not Disclosed
May 18, 2020	FW: Damaged Cargo: MV. SEASPAN CHIWAN – BL. LHV2217356 (IV35) / IVORYn COAST- JLB 3/4133/20.	Trojan:Win32/Wacatac.C!ml	JLB MARSEILLE marseille@jlbexpertises.com	Targets Not Disclosed
May 19, 2020	RFQ/ORDER #2020518 FROM China Merchants Port Holdings Co.Ltd	Trojan:Win32/Wacatac.C!ml	IlPFq24gRMOpbcOtbmcgKOWtq+W+t+aYjiki = 2617c938@9395.com	dc1fad@ed6405.com
May 19, 2020	MAERSK LINE SHIPMENT DOCUMENT	Trojan:Win32/Occamy.AA	MAERSK LINE customerservice@maerskline.com	maersk docs@maerskline.com
May 19, 2020	CARGO ARRIVAL NOTICE-Express BL: 200101092/0102	Trojan:Win32/Wacatac.C!ml	ea9cf7e4@063.com	f9a2f19c0@2960e43e0cabf1.com
May 20, 2020	FW: MT Pavino / Load Port PD/A Crude Benzene + Bunker Request	Trojan:Script/Wacatac.C!ml	Sun Xu Qing sxq@ismships.com	Targets Not Disclosed
May 20, 2020	RE: ADJUSTMENT // PRE ALERT AT INDONESIA “NYK FUJI V.084S” LCL TO JKT YGLNGO004466 // YIF-FW-19004159/	PWS:Win32/Fareit.A!MTB	PT. YAMATO INDONESIA FORWARDING Jakarta 608@50e66f1.com	401f51d9@93964e15ac1716.net
May 20, 2020	M/V Ocean Adventure – Fittings for Rescue Boat Repair	HEUR:Exploit.MSOffice.Generic	li beast3x@eliteomar.com	hans.hoobroeckx@fujitrading.nl
May 20, 2020	Cash to Master – MV GOLDEN PEARL	HEUR:Exploit.MSOffice.Generic	TAT SING INTERNATIONAL LOGISTICS tech.support@caturdaya.co.id	Targets Not Disclosed
May 20, 2020	Confidentiality Agreement Request : Structural Steel Materials /rn PE-105 / Dalma Gas Development Project / Package A (Offshore) / ADNOC	HEUR_RTFMALFORM	Carol Ramirez f84ecf4a@297f44245189.uy	Targets Not Disclosed
May 20, 2020	Your Shipment has arrived – Maersk	Trojan:Win32/Occamy.C	“Maersk Notification service@maerskline.com” waino@tammynpeterson.us	Targets Not Disclosed
May 21, 2020	Payment for invoice #34689- 05×40’HC Container Aqaba – WWS/	Trojan:Win32/Wacatac.C!ml	Inna Reznik caf9@53d92cbd.com	2949ed21949a867@726bfbd.com
May 21, 2020	COSCO SHIPPING LINES – 7223942580 – Document Shipping Instruction/BL	Trojan:Win32/Pwsteal.Q!bit	COSCO SHANGHAI SHIP MANAGEMENT CO., LTD e35015@0ea263.com	07@7c696244.gr
May 21, 2020	Amended P.O 28602 / Hebei Ocean	HEUR:Backdoor.Win32.Androm.gen	“Hebei Ocean Shipping Agency Ltd.” agencqhd@hoscoagency.com	Targets Not Disclosed
May 21, 2020	DHL Global Forwarding (China) Co., Ltd. CARGO RECEIPT	Trojan:Win32/Wacatac.C!ml	DHL Express Worldwide	Targets Not Disclosed
May 22, 2020	RE: REQUEST FOR QUOTATION – M.V. OMNI TIGRIS DRY DOCKING	Trojan:Win32/Sonbokli.A!cl	SHAIFFUL RIDZUAN shaifful.ridzuan@bnsy.com.my	Targets Not Disclosed

Showing 1 to 16 of 16 entries

In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MT Pavino” and “MV GOLDEN PEARL” among others.

Analysts observed subject line “M/V Ocean Adventure – Fittings for Rescue Boat Repair” being used in a malicious email this week. The malware contained in this email is one of the most common pieces of malware observed by analysts across all industries.

The email sender is listed as “li <beast3x@eliteomar.com>.” The sending email address does not appear to be registered to any legitimate company, and the domain (eliteomar[.]com) is listed on a defacement website indicating that the webhost was hacked by an Indonesian hacking team – “Indonesian Cyber Jawa”. The email signature shows the sender’s name is “Kelvin Li” and lists two maritime companies – ATN Marine and Trading Co., LTD & ARC Marine Services Co.,LTD. Notably, the mailing address listed in his signature is not registered to either company. A more legitimate email li@atn.com.cn is listed in the signature as well so it is unclear why this user would be sending emails from the “beast3x@eliteomar.com” address.

The targeted recipient of this email is an International Technical Marine Sales agent for Fuji Trading (Marine) B.V. which is a “world leader in marine supply” located in The Netherlands.[1] There is no clear connection between Fuji Trading (Marine) B.V. and ATN or ARC Marine. Hans’ email does not appear to be listed publicly anywhere online.

The malware in this email is contained in a malicious .doc attachment titled “103 SWIFT 13-05-20.doc.” When opened, the victim would activate HEUR:Exploit.MSOffice.Generic malware.[2] This malware exploits a MS Office memory corruption vulnerability (CVE-2017-11882), often downloading a malicious file disguised as an audio driver (%Application Data%audiodrvrdll.exe).[3]

Analysts observed another malicious email containing the subject line used last week, “Amended P.O 28602 / Hebei Ocean.” The email was sent from “Hebei Ocean Shipping Agency Ltd.<agencqhd@hoscoagency.com>.”

The sender email domain appears to be registered to the Hebei Ocean Shipping Agency domain “hoscoagency.com.” As there is no company website. Analysts are unable to verify the legitimacy of the sending domain but have low confidence that the domain is in fact owned by the shipping agency. The sending email address was associated with a separate malicious email posted on a spam-email website and does not appear to be a deliverable email address.[4]

The targets were not disclosed in this email making it difficult to conclude the attackers intentions, but the malicious file attachment:
“PURCHASE ORDER 28602.gz” contains HEUR:Backdoor.Win32.Androm.gen” malware.[5] The file contains backdoor malware which makes registry and file changes to gain a foothold on the victim’s device. Kaspersky claims that approximately 25% of this malware’s victims are in either Germany or Russia.

These analytical results illustrate how a recipient could be fooled into opening an infected email. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Source: https://dryadglobal.com/maritime-cyber-security-threats-may-wk3/

Who we are

What personal data we collect and why we collect it

Comments

Media

Contact forms

Cookies

Embedded content from other websites

Analytics

Who we share your data with

How long we retain your data

What rights you have over your data

Where we send your data

Your contact information

Additional information

How we protect your data

What data breach procedures we have in place

What third parties we receive data from

What automated decision making and/or profiling we do with user data

Industry regulatory disclosure requirements

Maritime Cyber Security & Threats May 2020 Week Three

Tactical Cyber Intelligence Reporting

admin

You May Also Like

ASEAN Regional Forum discusses terrorism, maritime and cyber security

Maritime Cyber security lab launched for UK shipping industry