On October 17th we disclosed the ‘MartyMcFly’ Threat (Rif. Analysis) where unknown attackers were targeting Italian naval industries. The analysis was cited by Kaspersky’s ICS CERT who exposed a wider threat extension across multiple countries such as: Germany, Spain, and India. Thanks to Kaspersky’s extended analysis we decided to harvest more indicators and to check more related threats by asking a joint cyber force with Fincantieri, one of the biggest player on Naval Industry across Europe. Fincantieri who was not involved in the previous ‘MartyMcFly’ attack identified and blocked additional threats targeting their wide infrastructure intercepted on during the week of 20th August 2018, about a couple of months before the ‘MartyMcFly’ campaign. Our task was to figure out if there were a correlation between those attacks targeting Italian Naval Industries and try to identify a possible attribution.
Fincantieri’s security team shared with us a copy of a malicious email, carefully themed as the ones intercepted by the Yoroi’s Cyber Security Defence Center between 9th and 15th October. At first look the message appears suspicious due to inconsistent sender’s domain data inside the SMTP headers:
The email messages have been sent from a mailbox related to the “jakconstruct.com” domain name, which is owned by the Qatari’s “AK CONSTRUCTION W.L.L.”, suggesting a possible abuse of their email infrastructure.
Figure 1. SMTP header smtp details
The “anchors-chain.com” domain found in the SMTP “From” header has been purchased a few weeks before the delivery of the malicious message: a privacy-protected user registered the domain on 21 June 2018, through the “NameSilo, LLC” provider.
Figure 2. Whois data of “anchors-chain.com”
During the time period between the 22nd of June and the 2nd of September 2018, this domain resolved to the IP address 184.108.40.206, owned by “Fast Serv Inc.”, hosting provider sometimes abused for illicit purposes (e.g. command and control services of info stealers malware). Unfortunately, the domain results offline at the time of writing, so it wasn’t possible to assess the presence of redirections to legit services as an observer on the “MartyMcFly” case.
Also, the “anchors-chain.com” domain shows an explicit reference to an Asian company producing chains for a wide range of customers in the shipbuilding industry: the “Asian Star Anchor Chain Co. Ltd.” or “AsAc Group”. The real domain of the group spells almost the same: “anchor-chain.com”, the letter “s” is the only difference between the name registered by the attacker and the legit one. Moreover, the message body has been written in Chinese language and the signature includes a link to another legit domain of the group, confirming the attacker was trying to impersonate personnel from AsAc Group, simulating the transmission of quotations and price lists.
Figure 4. Malicious email message
Figure 5. Malicious PDF document
The link “http://ow.ly/laqJ30lt4Ou“ has been deactivated for “spam” issues and is no longer available at the time of writing. However, analyzing automated sandox report dated back to the attack time-period is possible to partially reconstruct the dynamics of the payload execution, since the click on the embedded “ow.ly” link.
Figure 6. Attachment’s process tree
The dynamic trace recorded some network activity directed to two suspicious domains on the “.usa.cc” TLD originated right after the launch of the “iexplore.exe” browser’s process: respectively “wvpznpgahbtoobu.usa.cc” and “xtyenvunqaxqzrm.usa.cc”.
Figure 7. DNS requests intercepted
The first network interaction recorded is related to the embedded link inside the pdf attachment “http://ow.ly/laqJ30lt4Ou”, returning a redirection to another resource protected by the same URL shortening service.
Figure 8. Redirection to the second ow.ly url
The opening of the next url “http://ow.ly/Kzr430lt4NV” obtains another HTTP 301 redirect to an HTTPS resource related to one of the previously identified “usa.cc” domain:
Figure 9. Redirection to “wvpznpgahbtoobu.usa.cc”
Analyzing the SSL/TLS traffic intercepted during the dynamic analysis session shows multiple connections to the ip address 220.127.116.11, a dedicated server hosted by OVH SAS. The SSL certificate has been released by the “cPanel, Inc“ CA and is valid since 16th August 2018; this encryption certificate is likely related to the previously discussed HTTP 301 redirection due to the common name “CN=wvpznpgahbtoobu.usa.cc” found in the Issuer field.
Figure 10. SSL Certificate details “wvpznpgahbtoobu.usa.cc”
Another SSL/TLS connections recorded shows traffic related to the “xtyenvunqaxqzrm.usa.cc” domain directed to the same 18.104.22.168 ip address:
Figure 11. SSL Certificate details “xtyenvunqaxqzrm.usa.cc”
OSINT investigations gathered evidence of past abuses of the “xtyenvunqaxqzrm.usa.cc” for malicious purposes, for instance an urlquery report dated back on 23rd August 2018 shows a phishing portal previously reachable at “https://xtyenvunqaxqzrm .usa.cc/maesklines/Maerskline/maer.php” contained a login page of a fake “Maersk” holding’s shipping portal, multinational company operating in the logistics sector, one of the world’s largest container shipping company.
Figure 12. Phishing page previously hosted on xtyenvunqaxqzrm.usa.cc
The elements found in the dynamic execution report indicates a compatibility between the OSINT information about the “xtyenvunqaxqzrm.usa.cc” domain and the attachment itself: one of the dropped file recorded during the automated analysis section is named “login.html” and it has been classified as phishing template on the VT platform (hash 4cd270fd943448d595bfd6b0b638ad10).
Figure 13. login.html page dropped during the execution
The evidence collected during the joint analysis with the Fincantieri’s security team suggests some, still unspecified, targeted threat is likely trying to establish a foothold at least into the Italian naval industry. At this time is not possible to confirm the two waves of attack have been planned and executed by the same threat actor of the “MartyMcFly” campaign, many differences such as the distinct type of payload are relevant. However, at the same time, common elements impose to not discard the possibility of this relationship, for example, the following indicators are likely suggesting correlations:
Having said that we would like to thanks colleagues of Fincantieri’s security team for sharing data about these attacks, helping us in the investigation of this threat.
Further details including IoC are available in the report published by Yoroi.
About the author: Marco Ramilli, Founder of Yoroi
I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.
I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cyber security experiences by diving into SCADA security issues with some of the most biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cyber security defence center I’ve ever experienced ! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans