In their weekly queries of backend databases, cyber security firm Red Sky Alliance, Dryad Global’s cyber security partners, perform weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.
Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
This week Red Sky Alliance reports a large percentage of these malicious emails attempting to deliver Wacatac, both C and D variants showing up.
Vessel names seen include “MV. TAHO EUROP”, and “M/T TORM HARDRADA” among others. For example:
- An email was observed attempting to impersonate “MV Golden Star” using a subject line of “BUNKER ESTIMATE – M/V GOLDEN STAR”, a name which is very common and used by multiple different carriers
- The malicious email was sent from a typo squatted domain. The sender domain is “Labcosulich[.]com” which is an apparent typosquat on the legitimate domain owned by an Italian marine/energy services company Lab Cosulich Consultants – “labcosulichconsultants[.]com”
- The message contains an attached Excel spreadsheet identified by Microsoft as the Trojan:Win32/Tiggre!ctv malware. The message body consists of a bunkering order for the vessel, and the different costs associated with said order. However, opening the attachment titled “MV-GOLDEN STAR.xlsx” could activate the malware. Trojan:Win32/Tiggre!ctv is Windows malware which commonly infects victims to use their computing resources for crypto mining.
In another example, an email attempted to impersonate the vessel “M/T TORM HARDRADA” using the subject line “RE: RE: M/T TORM HARDRADA V.203- PDA REQUIRED FOR LOADING BARSAH”.
The vessel name belongs to a Singaporean crude oil tanker destined for Veracruz, Mexico. Analysis of the email shows it was sent to a Peruvian freight company called Scharff.
The email is sent from a Google mail server, but the sender identifies themselves as part of FP Shipping which is a Singaporean freight company.
An attachment titled “MT TORM HARDRADA.xlsx” is identified by Microsoft antivirus engine as Trojan:Win32/Sonbokli.A!cl. This malware uses Powershell to connect to command and control servers to download additional malware on the victim device.
Lastly, a malicious email was sent from an “Ever Grand Logistics Limited”, specifically Hunter Yang.
The email was sent and received from the same email; however the reply-to email is a Gmail account – “johnybmt@gmail[.]com”.
This email has been used to target multiple other maritime targets as far back as July 2019.
The subject line “NOMINATION//MV SHINSUNG BRIGHT V20004 KWG-NSA DISH STEEL PRODUCT 5700MT\r\n (POSCO)” suggests the message contains information about the vessel.
However, the email actually contains Trojan:Win32/Wacatac.C!ml malware disguised as “MV SHINSUNG BRIGHT V20004.rar”.
The message comes across as very polite, but it is clear from the sentence structure that the email sender is not a native English speaker.
In respect to the above, Dryad Global recommends that operators should:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to look for a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
This issue is really very dangerous & we all have to take care of the email process in very genteel way. Thanks for the detailed guide.