Phishing Emails Impersonate Maritime Industry in Likely BEC Campaign

Executive Summary

EclecticIQ threat research analysts recently observed a phishing campaign targeting the maritime industry. The malicious actor uses spoofed emails and socially engineered subject lines and file names to deliver multiple variants of commodity Remote Access Trojans (RAT) and the Masslogger keylogger, often used for stealing credentials. The attached files require user execution and, in some cases, exploit CVE-2017-11882 for initial execution. The campaign also leverages Agent Tesla to compromise web infrastructure for payload delivery and exfiltration of stolen data.

Key Judgements

•  It is likely the campaign is using stolen credentials for future business email compromise (BEC) attacks. The tooling shows a focus on credential and email information theft. The phishing email’s subject lines are aimed at on-shore ship and port operators. These organizations deal with regular monetary transfers making them susceptible to BEC attacks.
  
  
• It is highly likely phishing campaigns will continue impersonating the maritime industry for credential theft. Malicious actors can easily leverage openly available ship and ship operator information for legitimate-looking phishing emails. Commodity tooling provides easy access to the capabilities needed to harvest credentials and email information. The returns are potentially very lucrative due to regular monetary transfers in the industry and the increasing demand for trade by ship.

Phishing emails impersonating the maritime industry deliver commodity RATs and keyloggers

A malicious actor launched a phishing campaign using files with maritime industry-specific terminology to deliver commodity remote access trojans (RATs) and keyloggers for credential theft. The campaign is ongoing with the first activity observed on 28th October 2020. The actor uses spoofed email addresses impersonating companies and individuals with a stake in the maritime industry. The email’s subject line and the attached file’s name uses maritime terminology and impersonates merchant vessels. One phishing email observed impersonates the ship ‘MARINE TIGER’ and spoofs the email sender, ‘operations@oceantankers.com.sg’ to impersonate its management company ‘Ocean Tankers’. The emails deliver commodity RATs and keyloggers:

• Agent Tesla
• FormBook
• Lokibot
• Masslogger

It is likely this campaign is using stolen credentials for business email compromise

It is likely that this campaign will use the stolen credentials and mailing information in future business email compromise (BEC) attacks. The tooling leveraged shows a clear focus on credential and email information theft. Email subject lines such as ‘Port agency appointment - MV NAGOYA TRADER’ are aimed at on-shore organizations that are involved with port and ship operations. Onshore organizations are particularly susceptible to BEC attacks due to regular port charges for merchant vessels. This is exacerbated due to increased demand in shipping globally, with Asia-US volumes reaching the highest level on record in Q4 2020. This is consistent with other activities targeting the maritime industry. The threat actor group, Golden Galleon targeted the maritime industry with BEC attacks in 2017.

The attached files use three different execution techniques to install the malicious software

The campaign attaches three different file types to the phishing email: an archive file or a Microsoft Word or Excel document. The archive file distributes Agent Tesla, Formbook and Masslogger. It requires user execution to decompress the file and execute the malicious executable. The encrypted Microsoft files include:

• 132f5ce3c879259992351ae90865928ed508f5a76ab3f97ce6cd624ecccb551d The Microsoft Excel document exploits CVE-2017-11882 to deliver the Lokibot remote access trojan.
• cf95b81f5fedd8ad83452f1b21ec1d9169262c13e3be309085c171d663a73fde The Microsoft Word document exploits CVE-2017-11882 to download and execute an Agent Tesla executable.
• 9664740123170b912430759af6cfad9ff784ccd266fe93909022093beff051c7 The Microsoft Excel document runs an embedded VBA script to download and execute the Agent Tesla payload.

Compromised web infrastructure used for payload delivery and exfiltration

The malicious Excel document 9664740123170b912430759af6cfad9ff784ccd266fe93909022093beff051c7 

leverages legitimate compromised infrastructure to download and execute an Agent Tesla executable. The executable is downloaded from a domain belonging to a US-based flooring company. The encrypted Microsoft Excel documents such as 132f5ce3c879259992351ae90865928ed508f5a76ab3f97ce6cd624ecccb551d, leveraged dynamic DNS domains to download the initial Lokibot payload. Agent Tesla exfiltrates stolen data over SMTP using compromised email accounts. Two legitimate companies have been identified as compromised from the Agent Tesla malware configuration. The first is an engineering company in India and the other a TV cable provider in Bahrain.

Outlook

Phishing campaigns impersonating the maritime industry will almost certainly continue.

It is highly likely that phishing campaigns will continue to impersonate the maritime industry for credential and mail data theft. Publicly available information regarding ships and their owners provides a low barrier to entry for actors looking to make their emails appear legitimate. Commodity tools provide actors the capabilities needed to harvest credential and email information from their targets. The returns are potentially very lucrative. The regular charges incurred on merchant vessels due to port fees combined with the increasing demand for goods transported by ship, provide an environment for BEC scams to thrive.

EclecticIQ applies U.S. Intelligence Community Directive 203 to inform part of its analytic technique. This includes analytic discipline in objectivity, freedom from political bias, timeliness, relevance, and words of estimative probability to express the likelihood or probability of future events occurring. Consequently, we mean the following when we use words of estimate probability:

Find STIX & JSON attachments here

References

1. CVE-2017-11882 Detail 
2. 6c92ed33934d5a604f57aac4ff33252720354285291791bed88b6f3f15b9631d
3. Ocean Tankers
4. 6f68432c8c109e52980cef46236114266c97a5791808053b07a943d7686f8f55
5. A Primer on Port Charges: How Port Charges Affect Your Business
6. Crane Market Update March 2021
7. GOLD GALLEON: How a Nigerian Cyber Crew Plunders the Shipping Industry
8. 132f5ce3c879259992351ae90865928ed508f5a76ab3f97ce6cd624ecccb551d 
9. cf95b81f5fedd8ad83452f1b21ec1d9169262c13e3be309085c171d663a73fde 
10. 9664740123170b912430759af6cfad9ff784ccd266fe93909022093beff051c7
11. 132f5ce3c879259992351ae90865928ed508f5a76ab3f97ce6cd624ecccb551d