Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

20 new Cisco security advisories for ASA and Firepower with CVSS>7: https://tools.cisco.com/security/center/publicationListing.x

Shipping dangerous goods

Published: 2020-10-21
Last Updated: 2020-10-21 18:35:49 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)

For the past several months, I've been tracking a campaign that sends rather odd-looking emails like this

The sender (from) address on these emails is usually impersonating an existing shipping or logistics company. The ships mentioned in the emails actually exist, and according to marinetraffic.com, the vessels are in fact traveling in the area and with cargo that makes the content of such harbor berthing reservation and cargo manifest emails seem plausible.

Between two to five emails of this style arrive in one of my spam traps every weekday. The scammers don't work on the weekends, and sometimes, they take a full week off. But they inevitably come back, and try again.  Most emails are received between 2am and 4am UTC, which - assuming the mails are sent during the local morning - could suggest that the sender is sitting somewhere between Bangkok and Shanghai. The sending email servers are everywhere, but show some clustering in Malaysia.

The emails themselves display a casual familiarity with marine jargon, tonnages, draft, cargo types, DWT, routing, ETAs and marine radio procedures. They would be mildly entertaining to read, before getting filed in the spam folder ... if it weren't for the attachment. 

Sized between 500k and 1.5m, the attachment type of choice by the bad guys for the past several months has been a ".cab". Virustotal detection for the samples varies, and ranges from "none" at time of receipt, to 50+ engines a couple days later.

Two recent samples from this campaign
https://www.virustotal.com/gui/file/ba81b061a2dd678c1035ab99f70e36ce23446fa7f59a449722eac51dcb856d88/detection
https://www.virustotal.com/gui/file/40f23fd166724fa53a78234c4cdef2a8f95c2fc1e52bcd7b381efaa23cea6bc1/detection

The malware in question happens to be Agent Tesla spyware. Since April, my sandbox collected several hundred distinct Agent Tesla samples from this actor. Agent Tesla exfiltrates stolen data via HTTPS, and more commonly, over email (SMTPS, tcp/587).  While the former (HTTPS) destinations tend to be rather random, the latter (email) destinations are often hosted on email domains that also belong to shipping companies. This indicates to me that the campaign is likely successful to some extent, and over the months in fact has managed to steal valid email credentials (and probably more than that) from firms in the shipping and logistics sector.

Indicators for the emails:
- look for emails with *.cab attachment, with the email subject in all-uppercase

Indicators post-compromise:
- look for outbound attempts to tcp/587 destined for email servers other than your own

Current tcp/587 C&C domains used are mail.trinityealtd[.]com and smtp.hyshippingcn[.]com, but these destinations are changing daily.

The campaign has a lot of commonalities with what BitDefender reported in April for the Oil&Gas industry https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/. 

If you have additional information on this campaign, please let us know, or share in the comments below.

Update: Latest three samples from today, and their corresponding SMTP C2:

f00fadbb5208ce7cdfe655c99c3d0cd4e13b688b  smtp.hyshippingcn[.]com:587
15f65230fb7dafdad1ca727fa7a3dd5bb132fe51  smtp.hyshippingcn[.]com:587
e0be943cd75bbab62768510aaa1547a90ee41ab0  smtp.t7global-my[.]com:587

Keywords: AgentTesla malware
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Mirai-alike Python Scanner
Oct 20th 2020
1 day ago by Xme (0 comments)

File Selection Gaffe
Oct 18th 2020
3 days ago by DidierStevens (0 comments)

CVE-2020-5135 - Buffer Overflow in SonicWall VPNs - Patch Now
Oct 17th 2020
4 days ago by Rick (0 comments)

Traffic Analysis Quiz: Ugly-Wolf.net
Oct 16th 2020
5 days ago by Brad (0 comments)

CVE-2020-16898: Windows ICMPv6 Router Advertisement RRDNS Option Remote Code Execution Vulnerability
Oct 15th 2020
6 days ago by Johannes (0 comments)

Nicely Obfuscated Python RAT
Oct 15th 2020
6 days ago by Xme (0 comments)

More TA551 (Shathak) Word docs push IcedID (Bokbot)
Oct 14th 2020
1 week ago by Brad (0 comments)

View All Diaries →

Latest Discussions

Gmail hacked vis MS Outlook / request.zip virus/malware
created Oct 13th 2020
1 week ago by Anonymous (2 replies)

Why is the entire community so... I don't know the words...
created Sep 8th 2020
1 month ago by Everseeker (0 replies)

I can not find the Bluetooth channel!
created Aug 31st 2020
1 month ago by Martin (0 replies)

Fellow Cyber Security Pro's, where do you get your regular feeds of information?
created Aug 11th 2020
2 months ago by Anonymous (0 replies)

Most important information security training and certifications
created Aug 10th 2020
2 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Open Packaging Conventions
Oct 10th 2020
1 week ago by DidierStevens (0 comments)

Traffic Analysis Quiz: Ugly-Wolf.net
Oct 16th 2020
5 days ago by Brad (0 comments)

What's in Your Clipboard? Pillaging and Protecting the Clipboard
Sep 11th 2020
1 month ago by Rob VandenBrink (0 comments)

Today, Nobody is Going to Attack You.
Oct 7th 2020
2 weeks ago by Johannes (0 comments)

send lots of email to money@stifortunes.com