Phishing Vessels

Loki Bot campaign targets maritime industry

DarkLab intelligence analysts detected a Loki Bot phishing campaign targeting the maritime and engineering sectors in Europe, Asia and the US from spoofed email addresses of legitimate organisations in Asia.

Figure 1 – Countries of origin of phishing recipients (blue) and legitimate organisations’ spoofed addresses (red)

Recipients of phishing emails – hard to see in the map above – were also located in Singapore.

The earliest phishing email detected dates back to October 2019. However, our previous research indicates that this threat actor is using maritime themes in their phishing campaigns since at least 2018, and is linked to other malware families including Pony.

The 2019 email was sent from a likely compromised subdomain of an Indonesian company and contained a malicious archive (.rar) attachment purportedly pertaining to a purchase order, a common theme of spam emails.

Since then, the actor behind the campaign refocused their phishing lures by spoofing emails of legitimate organisations linked to the maritime industry, and by referring to vessels and other naval themes in their emails.

Figure 2 – Example of phishing email spoofing a Singapore-based shipping company

Figure 3 – Example of phishing email sent to a Switzerland-based maritime consultancy

Some phishing emails showed a good knowledge of the shipping industry, including believable details of existing ships and ports locations.

Figure 4 – Example of phishing email sent to a Japanese shipping company

Figure 4 – Example of phishing email sent to an Italian engineering contractor, purporting to be from a Chinese port authority

For instance, both vessels mentioned in the email above, Glovis Crown and Glovis Splendor, are 200m long cargo ships registered in the Marshall Islands. It remains unclear how criminals managed to obtain such details, although it seems likely that they derive from previously hijacked communications of potentially unrelated victims.

This second wave of phishing emails has been active between February and late June 2020, suggesting the campaign is likely still active.

Phishing emails switched to a malicious Microsoft Excel (.xlsx) attachment containing an exploit for CVE-2017-11882. This vulnerability in Microsoft Equation Editor lets attackers run remote code on a vulnerable machine when the victim opens a document. The exploit has been actively used by multiple cybercriminal groups due to the level of access it grants to the victim machine and the lack of user interaction needed.

Figure 5 – Screenshot of malicious xlsx attachment to email in Figure 4 [MD5: e7bb1284bf0e723b47435b0f70504b3f]

The malicious documents are downloaders for Loki Bot, an information stealer first seen in 2015. The malicious payloads observed, and additional ones found by pivoting on the attack infrastructure, are downloaded from duckdns.org subdomains likely created with domain generation algorithms (DGA).

The payload, Loki Bot, can steal credentials from browsers and email clients, among other programs, and has keylogging capabilities. The malware also sends identifying information about the victim’s hosts to a C2 to inform threat actors of the successful infection.

The current Loki Bot campaign highlights the ongoing threat of commodity malware and widespread phishing to organisations in the maritime and engineering sectors. Although the campaign exploits well-known threat vectors, lack of widespread adoption of anti-spoofing technologies like SPF and DMARC, or their incorrect implementation,  means that criminals can continue sending credible phishing emails apparently from legitimate domains.

Indicators of Compromise

Emails Sender’s IP

103.253.115[.]37

Downloader Domains

russchine2specialplumbingwsdymaterialgh3.duckdns[.]org

chneswealthandorganisationstdy7joppl.duckdns[.]org

12chnesstdywealthandmoduleorganisationrn.duckdns[.]org

chnes14wealthandstdymoduleorganisationoo.duckdns[.]org

chnthreewealthsndy3andreinforcementagenc.duckdns[.]org

20chneswealthandsndymoduleorganisationvz.duckdns[.]org

chnes29sndyqudusisabadassniggainthebba.duckdns[.]org

united32wsdyfrkesokoriorimistreetsjkjd.duckdns[.]org

russchine2sndymapanxmenischangedone14ajb.duckdns[.]org

sndychnesprvlandofglorylandoflifeforle.duckdns[.]org

greenpegheedahatakankeadeshnaajaotawsdy.duckdns[.]org

sndychnesprvlandofglorylandoflifeforle.duckdns[.]org

Payloads

4ae5c9c199377980ebc558d27e7855960c69167138951378666421b9b3db09de

bcc826091ec71230947aa1916263434935a58ffe5977cf415b1d970633939652

58e0c4eef4236380167e9ea679e7885aebb5319dd0ea17365b90b5867cae7ff8

49107c228e38638d3b241bb5c4aa93ef68db20cc0c5a4157e00fc027635418bf

9ea2966982206d42cd8ad215f7a408bf7c1964134e3bef967e7bb93df6dc1f1a

b48f93828a970b7f2122b098cade1e1ab488ef557cf11ae0c44f5690f6c45185

83ba255722d5c337ce128b5e216fc1a4010849b3b4ac3e4841458d371ed757d6

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Leave a Reply