Attacks Target Multiple Industry Sectors, from Freight to Food and Medical
BEYOND THE IOC-Moving from the “what” to the “how” to better stay ahead of emerging attacks
EclecticIQ threat research analysts recently observed a phishing campaign targeting the maritime industry. The malicious actor uses spoofed emails and socially engineered subject lines and file names to deliver multiple variants of commodity Remote Access Trojans (RAT) and the Masslogger keylogger, often used for stealing credentials. The attached files require user execution and, in some cases, exploit CVE-2017-11882 for initial execution. The campaign also leverages Agent Tesla to compromise web infrastructure for payload delivery and exfiltration of stolen data.
- It is likely the campaign is using stolen credentials for future business email compromise (BEC) attacks. The tooling shows a focus on credential and email information theft. The phishing email’s subject lines are aimed at on-shore ship and port operators. These organizations deal with regular monetary transfers making them susceptible to BEC attacks.
- It is highly likely phishing campaigns will continue impersonating the maritime industry for credential theft. Malicious actors can easily leverage openly available ship and ship operator information for legitimate-looking phishing emails. Commodity tooling provides easy access to the capabilities needed to harvest credentials and email information. The returns are potentially very lucrative due to regular monetary transfers in the industry and the increasing demand for trade by ship.