Red Sky Alliance performs weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.
Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Red Sky Alliance has observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV Happiness” and “MV Marzuk” among others.
Analysts observed malicious subject line, “RE: MSC-Notice of Arrival for MSC B/L :MEDUAU647809/MSC ADITI/HC039A” used this week. Attackers routinely use shipping company-names in subject lines, to entice the target into opening the malicious emails and activating malware. In this case, attackers are using “MSC,” commonly an abbreviation for Mediterranean Shipping Company.
The sending address in this case impersonated an employee from the major shipping giant using the sending alias “”MSC – Mediterranean Shipping Company (Europe).” A closer look would show that the sending email address is saigonsan[at]tuguhotels[.]com which does not appear to be a legitimate email. The address has been observed impersonating numerous different entities to send malicious emails.
The target of the email is a tax officer at MSC. The message body of the email indicates that the email sender does not speak English as their native language, which is not suspicious individually, but there are other indications that this is not a legitimate request.
Specifically, the email uses the generic greeting “Dear Info” which is slightly suspicious, as the targeted recipient is not “info[at]msc.com.” Another suspicious aspect of the email is the signature, assigned, “Best Regards, Finance Staff as Agent” and then lists the full MSC company name in the next line.
In addition, the signature includes an image saying “MORE INFO”, but this is just an image and does not actually link to any website. Finally, the attackers attempt to expedite the attack by claiming that an ‘invoice fee’ will apply if they do not receive a prompt response.
The name of the attached file, “TGL_MSC-20024169(BL DRAFT) .pdf.gz” is also suspicious. It implies that the attached file is a PDF, or even a compressed (zipped) file containing a PDF. The attachment actually contains a malicious executable file. When the user opens the malicious file, they would activate PWS:Win32/Fareit!ml malware. According to TrendMicro, the most common uses for this malware include:
- Steals stored account information used in different installed File Transfer Protocol (FTP) clients or file manager software;
- Steals stored email credentials of different mail clients;
- Gets stored information such as usernames, passwords, and hostnames from different browsers;
- Performs brute-forcing capabilities on local accounts based on the acquired password list;
- Replicates other Remote Desktop Protocol (RDP) utilities’ mutexes to mask execution in the background, then deletes itself after execution;
- Downloads additional malware payload.
Analysts observed another malicious email subject line “MV PRABHU SAKHAWAT” this week. This vessel name has been used as part of the subject line, for at least five malicious emails, in the past six months. In the past attackers have used the following sending alias’ to send these malicious emails:
- Sunnytrans Co., Ltd.;
- Wilhelmsen Ships Service;
- El bahlawan shipping.
To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
- Train all levels of the marine supply chain to realize they are under constant cyber-attack.
- Emphasize maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
- Provide practical guidance on how to identify a potential phishing attempt.
- Use direct communication to verify emails and supply chain email communication.
- Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime
- Blacklists to proactively block cyber-attacks from identified malicious actors.
