Phishing Emails Impersonate Maritime Industry in Likely BEC Campaign

Phishing emails impersonating the maritime industry deliver commodity RATs and keyloggers

A malicious actor launched a phishing campaign using files with maritime industry-specific terminology to deliver commodity remote access trojans (RATs) and keyloggers for credential theft. The campaign is ongoing with the first activity observed on 28th October 2020. The actor uses spoofed email addresses impersonating companies and individuals with a stake in the maritime industry. The email’s subject line and the attached file’s name uses maritime terminology and impersonates merchant vessels. One phishing email observed impersonates the ship ‘MARINE TIGER’ and spoofs the email sender, ‘[email protected]’ to impersonate its management company ‘Ocean Tankers’. The emails deliver commodity RATs and keyloggers:

• Agent Tesla
• FormBook
• Lokibot
• Masslogger

It is likely this campaign is using stolen credentials for business email compromise

It is likely that this campaign will use the stolen credentials and mailing information in future business email compromise (BEC) attacks. The tooling leveraged shows a clear focus on credential and email information theft. Email subject lines such as ‘Port agency appointment - MV NAGOYA TRADER’ are aimed at on-shore organizations that are involved with port and ship operations. Onshore organizations are particularly susceptible to BEC attacks due to regular port charges for merchant vessels. This is exacerbated due to increased demand in shipping globally, with Asia-US volumes reaching the highest level on record in Q4 2020. This is consistent with other activities targeting the maritime industry. The threat actor group, Golden Galleon targeted the maritime industry with BEC attacks in 2017.

Want to read the entire blog? Click on the "read more" button.