The “MartyMcFly” investigation: anchors-chain case
On October 17th we disclosed the “MartyMcFly” Threat (Rif. Analysis) where unknown attackers were targeting Italian naval industries. The analysis was cited by Kaspersky’s ICS CERT who exposed a wider threat extension across multiple countries such as: Germany, Spain, and India. Thanks to Kaspersky’s extended analysis we decided to harvest more indicators and to check more related threats by asking a joint cyber force with Fincantieri, one of the biggest player on Naval Industry across Europe. Fincantieri who was not involved in the previous “MartyMcFly” attack identified and blocked additional threats targeting their wide infrastructure intercepted on during the week of 20th August 2018, about a couple of months before the “MartyMcFly” campaign. Our task was to figure out if there were a correlation between those attacks targeting Italian Naval Industries and try to identify a possible attribution.
Fincantieri’s security team shared with us a copy of a malicious email, carefully themed as the ones intercepted by the Yoroi’s Cyber Security Defence Center between 9th and 15th October. At first look the message appears suspicious due to inconsistent sender’s domain data inside the SMTP headers:
- From: [email protected]
- Subject: Quotation on Marine Engine & TC Complete
- User-Agent: Horde Application Framework 5
- X-PPP-Vhost: jakconstruct.com
The email messages has been sent from a mailbox related to the “jakconstruct.com” domain name, which is owned by the quatari’s “AK CONSTRUCTION W.L.L.”, suggesting a possible abuse of their email infrastructure.
Figure 1. SMTP header smtp details
The “anchors-chain.com” domain found in the SMTP “From” header has been purchased a few weeks before the delivery of the malicious message: a privacy protected user registered the domain on 21 June 2018, through the “NameSilo, LLC” provider.
Figure 2. Whois data of “anchors-chain.com”
During the time-period between the 22th of June and the 2nd of September 2018 this domain resolved to the IP address 18.104.22.168, owned by “Fast Serv Inc.”, hosting provider sometimes abused for illicit purposes (e.g. command and control services of info stealers malware). Unfortunately, the domain results offline at time of writing, so it wasn’t possible to assess the presence of redirections to legit services as observer on the “MartyMcFly” case.
Also, the “anchors-chain.com” domain shows an explicit reference to an asian company producing chains for a wide range of customers in the shipbuilding industry: the “Asian Star Anchor Chain Co. Ltd.” or “AsAc Group”. The real domain of the group spells almost the same: “anchor-chain.com”, the letter “s” is the only difference between the name registered by the attacker and the legit one. Moreover the message body has been written in chinese language and the signature includes a link to another legit domain of the group, confirming the attacker was trying to impersonate personnel from AsAc Group, simulating the transmission of quotations and price lists.
Figure 4. Malicious email message
Figure 5. Malicious PDF document
The link “http://ow.ly/laqJ30lt4Ou“ has been deactivated for “spam” issues and is no longer available at time of writing. However analyzing automated sandox report dated back to the attack time-period is possible to partially reconstruct the dynamic of the payload execution, since the click on the embedded “ow.ly” link.
Figure 6. Attachment's process tree
The dynamic trace recorded some network activity directed to two suspicious domains on the “.usa.cc” TLD originated right after the launch of the “iexplore.exe” browser’s process: respectively “wvpznpgahbtoobu.usa.cc” and “xtyenvunqaxqzrm.usa.cc”.
Figure 7. DNS requests intercepted
The first network interaction recorded is related to the embedded link inside the pdf attachment “http://ow.ly/laqJ30lt4Ou”, returning a redirection to another resource protected by the same URL shortening service.
Figure 8. Redirection to the second ow.ly url
The opening of the next url “http://ow.ly/Kzr430lt4NV” obtains another HTTP 301 redirect to a HTTPS resource related to one of the previously identified “usa.cc” domain:
Figure 9. Redirecion to “wvpznpgahbtoobu.usa.cc”
Analyzing the SSL/TLS traffic intercepted during the dynamic analysis session shows multiple connections to the ip address 22.214.171.124, a dedicated server hosted by OVH SAS. The SSL certificate has been released by the “cPanel, Inc“ CA and is valid since 16th August 2018; this encryption certificate is likely related to the previously discussed HTTP 301 redirection due to the common name “CN=wvpznpgahbtoobu.usa.cc” found in the Issuer field.
Figure 10. SSL Certificate details “wvpznpgahbtoobu.usa.cc”
Another SSL/TLS connections recorded shows traffic related to the “xtyenvunqaxqzrm.usa.cc” domain directed to the same 126.96.36.199 ip address:
Figure 11. SSL Certificate details “xtyenvunqaxqzrm.usa.cc”
OSINT investigations gathered evidence of past abuses of the “xtyenvunqaxqzrm.usa.cc” for malicious purposes, for instance an urlquery report dated back on 23rd August 2018 shows a phishing portal previously reachable at “https://xtyenvunqaxqzrm .usa.cc/maesklines/Maerskline/maer.php” contained a login page of a fake “Maersk” holding’s shipping portal, multinational company operating in the logistic sector, one of the world’s largest container shipping company.
Figure 12. Phishing page previously hosted on xtyenvunqaxqzrm.usa.cc
The elements found in the dynamic execution report indicates a compatibility between the OSINT information about the “xtyenvunqaxqzrm.usa.cc” domain and the attachment itself: one of the dropped file recorded during the automated analysis section is named “login.html” and it has been classified as phishing template on the VT platform (hash 4cd270fd943448d595bfd6b0b638ad10).
Figure 13. login.html page dropped during the execution
The evidences collected during the joint analysis with the Fincantieri’s security team suggests some, still unspecified, targeted threat is likely trying to establish a foothold at least into the Italian naval industry. At this time is not possible to confirm the two waves of attack have been planned and executed by the same threat actor of the “MartyMcFly” campaign, many differences such as the distinct type of payload are relevant. However, at the same time, common elements impose to not discard the possibility of this relationship, for example the following indicators are likely suggesting correlations:
- impersonification of service provider and satellite companies of the naval industry sector.
- usage of domain names carefully selected to appear similar to legit names of known companies.
- usage of professional sounding emails containing reference and documents carefully aligned with impersonification context.
- possible usage of “Microsoft Word 2013”
Having said that we would like to thanks colleagues of Fincantieri’s security team for sharing data about these attacks, helping us in the investigation of this threat.
Indicator of Compromise
Here the list of indicator of compromise collected during the analysis:
- [email protected]
- Quotation on Marine Engine & TC Complete