Vessel Impersonation Report
Dryad Global’s cyber security partners, Red Sky Alliance, perform weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Tactical Cyber Intelligence Reporting
In the above collection we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we see a large percentage of these malicious emails attempting to deliver Wacatac, with the D variant showing up for the first time. Vessel names seen include “MV WAF PASSION”, and “MV OCEAN HERO” among others. One malicious email included in our report this week does not attempt to impersonate a vessel. However, it attempts to impersonate a Corona Virus advisory from the World Health Organization warning of vessels with infected crew.
An email was observed attempting to impersonate “MV OCEAN HERO” using a subject line of “MV OCEAN HERO : CTM DELIVERY”. According to maritimetraffic.com, this name is shared by a Singaporean Oil/Chemical tanker, a Panamanian general cargo carrier, and another general cargo ship sailing under the Hong Kong flag. It is unclear which, if any, the attackers were attempting to impersonate. Or, if they were simply trying to increase their chances of success with a recipient being familiar with the vessel name and opening the email.
Analysis reveals that the malicious email was sent to a recipient at the adsale-hk.com domain. Although this domain holds only a parking page hosted by Texas ISP Confluence Networks, it could be that the attackers were attempting to target adsale.hk.com, a Chinese trade media group.
The message contains an attached Excel spreadsheet identified by Microsoft as the Trojan:Win32/AutoitInject.BH!MTB malware. The message body contains a request Cash To Master services in the amount of $60,000 USD referencing an attached document for details. However, opening the attachment could activate the malware. The malware exploits the Auto-IT IT automation suite to perform actions on target. Historical Trojan:Win32/AutoitInject.BH!MTB samples have delivered ransomware and credential stealing payloads.
In another example, we see an email attempting to impersonate the vessel “MV WAF PASSION” using the subject line “MV WAF PASSION – PDA”.
The vessel name belonged to a Sri Lankan General Cargo vessel until October 5, 2019 when the name was changed to ZEA PASSION and then changed again to MERCS PASSION at an unknown time.
Analysis of the email headers show it was sent from a Chicago, Illinois IP address hosted by Unreal Servers to a recipient at the e1.co.kr domain hosted by South Korean ISP LG DACOM Corporation. E1 is a South Korean liquefied petroleum gas (LPG) importer that claims to control 50% of the country’s LPG imports. Interestingly, the message has a suspicious Reply-To email address ([email protected]) that is not affiliated with the impersonated sender.
An attachment titled “MV WAF PASSION.rar” is identified by Microsoft as “Trojan:Win32/Wacatac.C!ml”. This malware can “perform a number of actions of a malicious hacker’s choice on your PC.”
The subject line “CORONA VIRUS / AFFECTED VESSEL TO AVOID” suggests the message contains a list of vessels with infected crew. However, the message body provides guidelines and procedures for ships Masters to avoid crew infection. There are also numerous calls to action in the message body enticing recipients to open, fill out, and return the attached forms by email. The attached document, an Excel spreadsheet named “”CORONA VIRUS AFFECTED CREW AND VESSEL.xlsm” echoes the subject line in its promise to reveal affected (infected) crew and vessels. With the Corona Virus being a hot topic globally, this tactic could evoke an emotional response in the recipient causing them to open the message without looking closely for indications of a spoofed message, which could trigger the malware.Lastly, A malicious email was observed impersonating the World Health Organization (WHO), specifically Monika Kosinska, Project Manager at the WHO Regional Office for Europe. The email was sent from a Coventry, United Kingdom IP address hosted by Fat Shark, Ltd. (sharkservers.co.uk) to recipients at the ntu.edu.sg and portauthority.com domains. The domain ntu.edu.sg is owned by Nanyang Technological University, Singapore. The portauthority.com domain redirects to www.ports.com and resolves to a London, United Kingdom based IP address hosted by World News PTE. LTD.
Typically, the use of language is a good indicator of a spoofed message. Errors in grammar and punctuation can indicate a non-native English speaker originated a message. This is especially indicative when the attacker is trying to impersonate a sender who is expected to fluently speak and write the language. Overall, the use of language in this message is good, but on close inspection there are punctuation errors, capitalization errors, and slight phrasing issues throughout. These are errors that a former resident of the UK, Kings College graduate, and fluent English language speaker like Ms. Kosinska is unlikely to make.