Red Sky Alliance performed another weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Those who work in the security industry can quickly identify the suspicious aspects of these emails, but the targets often cannot. Even if attackers can only get 10% of people to open their malicious email attachments, they can send thousands out in a day using similar templates resulting in hundreds of victims per day. They can also automate parts of this process for efficiency
According to Red Sky Alliance, malicious actors attempt to use vessel names to try to spoof companies in the maritime supply chain.
This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV Vittoria” and “MV Genco Resolute” among others. This week, analysts observed attackers attempting to send malicious email attachments to multiple recipients from the same sender email address
The attacker in this case sent the emails from “Khajohn Intavichian” ii.khajohn[at]kgroupinternational[.]com. The domain used (kgroupinternational) does not appear to be registered to any legitimate entity indicating the attackers may have created a fictional business domain as a disguise to send malicious emails.
There appears to be a legitimate company called K-Group Logistics Co., Ltd. based in Thailand, however, there does not appear to be any legitimate link between the Thai logistics company and the domain used by the attacker in this case. Attackers often impersonate or spoof legitimate companies when sending malicious email attachments to evade detection.
There were multiple recipients across multiple countries which were targeted by these malicious emails. While one of the three targeted domains is obfuscated (and unidentified), there was one target based in Germany, and another target located in Taiwan
said Red Sky Alliance.
The German target in this case is a gear manufacturing and hardening shop. Manufacturers are often the target of attackers looking to steal sensitive proprietary data or activate ransomware to earn a profit. The wheysound[.]com[.]tw domain belongs to Huisong Technology, a Chinese “high-tech enterprise” focused on laboratory medical instruments and in vitro diagnostic reagents. Attackers targeting this company would also likely search for sensitive information to steal, even during a ransomware attack.
In all three email samples, the attacker uses the same subject line “RE:MV.SIRICHAI REEFER V.0221 – 1st Freight Invoice…” The email subject line is the same, and the message body contained within the email is also the same. The sender appears to be using at least two different email clients to send from as they send both malicious .eml (email) files and .msg (Outlook) files.
There are a total of four unique malicious files attached to the malicious email samples. The malicious file attachments used the following file names:
- “P0_0541_60_12.rar” (Archive)
- “ERL_7804100.doc” (MS Word Document)
- “IMG_107_85_02_37.doc” (MS Word Document)
- “IMG_50_78_63.xls” (MS Excel Spreadsheet)
This indicates the attacker may be manually generating these emails instead of using a malicious email template to spam and targeted numerous users. There are multiple antivirus (AV) detections triggered by the malicious attachments, but all of the malware appears to be an attempt to download trojan malware on the target system for further intrusion
Red Sky Alliance concluded.
