Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry
Malicious actors are attempting to use vessel names to try to spoof companies in the maritime supply chain. Recently, the partners observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV Arthiri” and “Sea Dragon I” among others.
In addition, analysts observed malicious subject line, “EPDA & PORT INFO REQUEST FOR LOADING ABT 60,325 MTNS OF UREA” used. While this email is more detailed than many malicious emails, there are few indications that the email is unsafe.
The email is sent by “’Platin Shipping’ operation[at]platinship[.]net” to another email address owned by Platin Shipping. Notably, the attackers are impersonating one of the founders of the company when sending the email – Nora Germen. This is likely an attempt to leverage this employee’s authority to entice other employees to open the malicious email attachment.
Although the email is sent from a platinship[.]net email address, the reply-to email address is “operations[at]swnav[.]com[.]tw.” It is likely that attackers are doing this to spread the malicious attachment to other maritime companies, but analysts are unable to determine the exact reason for the difference in the reply-to/sending addresses.
Attackers in this case are trying to exploit two different vulnerabilities on the victim host. First, the attackers attached a Word document, “COVID 19 CREW MEMBERS UPDATE.doc” which contains Exploit:O97M/CVE-2017-8570.DR!MTB malware. This is a remote code execution vulnerability caused due to the way that MS Office handles objects in memory.
Next, attackers attached a malicious Excel file, “VSL PARTICULARS.xlsm.” Notice the “m” at the end of the file extension. This is an XLS Excel spreadsheet, but the “m” extension means that macros are enabled by default. When opened, this would activate Exploit:O97M/CVE-2017-11882.ARJ!MTB malware on the victim host. This is also a MS Office memory corruption vulnerability.
These analytical results illustrate how a recipient could be fooled into opening an infected email. They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.