# Cyber-Espionage Campaign Targeting the Naval Industry (“MartyMcFly”) **blog.yoroi.company/** CERT-YOROI October 17, 2018 ## Background During the last week Yoroi CERT’s analysts uncovered several attacks targeting the italian naval and defence industry. The attacker used email as known propagation vector in order to infect victims by sending a special crafted xls file. The identified attack properties triggered internal defcon escalation in order to assess the threat magnitude and eventually special malware analyses according to the threat. The suspicious emails have been intercepted between 9th and 15th October during our common CSDC (Cyber Security Defence Center) operations in two different champains, each one characterized by one or more attempts and slightly different social engineering tricks. ## Malicious Emails The first intercepted malicious email had “markvanschaick.nl @qixnig .com” as a sender address. The specific name has been likely chosen by the attacker to try to exploit the Dutch marine service company reputation “Mark Van Schaick”, but sender’s domain and ip address shown no direct relationship to that organisation. _Figure 1. SMTP header details of wave 1_ The message has been sent from a Roundcube webmail server hosted on lord. vivawebhost .com (173.237.190.12 COLO4-BLK7 US) and apparently unrelated to the sender’s domain. Moreover, “qixnig .com” (sender domain name) resolves to a different IP address reachable at 66.45.243.148 (INTERSERVER US). It’s interesting to figure out the crafted redirection applied to any visiting users: a HTTP 301 code redirecting to the Dan Marine Group’s official web portal. ----- _Figure 2. Redirection to the Dan Marine web portal_ The second email campaign was slightly different respect to the first one. It was originated by another Roundcube webmail service hosted at mail.dbweb .se (52.58.78.16 AT-88-Z US): _Figure 3. SMTP header details of wave 2_ In this case the fake communication process mimics the interaction between “Naviera Ulises Ltd ” and “Evripidis _Mareskas (Mr) ”. The extracted domain r happens to be_ “kiramko .com” and it resolved to the same remote ip address discovered in the first campaign wave (“qixnig .com”, 66.45.243.148 INTERSERVER US). Those campaigns could be considered as closely correlated. The “ulisnav .gr” appears to be unregistered at time of writing. The intercepted emails come up with a carefully prepared phishing scheme, definitely targeting the italian naval sector. The observed chunks of headers and the network context shown the attacker tried to impersonate known vendors of marine parts and naval services in order to lure victims to open up the attached documents. For example the first two detected attempts tried to mimic inquiries from the Chinese Dan Marine Group, pretending to validate the sender’s domain “qixnig .com” as legibly owned by the group. It then tried to redirect visitors to the Dan Marine official website. Another intercepted email inserted the victim as BCC into a fake communication between the tech support of the greek Naviera Ulises Ltd and one of its employer (data publicly available on linkedin). No one of these communications appear to be real and legitim, indeed the intercepted data does not suggest the attacker has any kind of access to real assets. ## Attachments The intercepted email messages have more than one attached documents: on the first email campaign we observed two copies of the same Excel file (5c947b48e737648118288cb04d2abd7b) wrapping CDFV2 encrypted data and scoring [relatively low in the VT’s AV coverage test (9/59 at time of writing).](https://www.virustotal.com/#/file/a42bb4900131144aaee16d1235a22ab6d5af43407a383c3d17568dc7cfe10e64/details) ----- (66b239615333c3eefb8d4bfb9999291e) from a compromised web portal: _Figure 4. Malware download HTTP request intercepted_ Further details regarding the evasion techniques, especially related to the “VelvetSweatshop” trick and the Equation Editor’s exploit used to drop the malware, are [available here (link).](https://marcoramilli.blogspot.com/2018/10/martymcfly-malware-targeting-naval.html) _Figure 5. Malicious excel document_ The second attack had as attachment a copy of Excel file and one more PDF document named “Company profile.pdf” (6d2fc17061c942a6fa5b43c285332251), this file appears to have been generated in the same time-period of the phishing attempts: nearly 30 minutes before the dispatch of the malicious message, from a MS Word 2013 document. _Figure 6. “Company Profile.pdf” metadata_ The embedded attachments have been delivered in the middle of October using multiple names, most of them related to the naval industry and containing references to quotations, inquiry or orders of mechanical parts. ----- _Figure 7. Submission time and names of the samples_ Having said that, we can now explain the internal choice of the “MartyMcFly” code-name for this campaign: the name comes from the “First Seen in The Wild ” value reported by the VT platform and the meta-data found in the artifacts, which are a quite interesting topic to be discussed. ## Payload The executable payload has been downloaded from a potentially compromised website legitimately owned by a turkish company selling mechanical spare parts, indicating the attacker had carefully taken care of the thematization of the malware distribution infrastructure. The PE32 file 66b239615333c3eefb8d4bfb9999291e contains executable binary code compiled from Delphi source code (BobSoft Mini Delphi). The first stage of execution shows several anti-analysis patterns and tricks, for instance at 0x0045e304 the malware checks if the year of the local time configured in the OS is after 2017 (rif. Figure 8) moreover at 0x045e393 it slows down the execution invoking the SleepEx library function (rif. Figure 9). ----- _Figure 8. Current Local Time check_ _Figure 9. Code slow down via SleepEx_ The bypass of all the debug checks and evasion tricks inside the malicious code leads to the dynamic loading of a .NET module in a RWX code-segment mapped at the 0x012e0000 location. _Figure 10. Executable module unpacked in memory_ Yara signatures claim the extracted PE32 module is attributable to a weaponized version [of “QuasarRAT”: an open-source remote administration tool freely available on github.](https://github.com/quasar/QuasarRAT) _Figure 11. Yara signature match on the dumped_ _.NET Modules_ The manual verification reported in Figure 12 confirms the extracted payload is compatible with QuasarRAT modules published on the github repository. Moreover, the IoC section below reports the C2 server locations found in the malware configurations. ----- _Figure 11. Example of module names and messages used by the QuasarRAT_ At the moment no attribution to known group is possible, many threat actor choose to use or customize open-source tools to try to make the attribution harder, such as the chinese “Stone Panda” group (APT-10) known for espionage operations against defence and [government, having the QuasarRAT in their arsenal, or also the “Gorgon Group”, the](https://www.us-cert.gov/ncas/alerts/AA18-284A) ambiguous mercenary group responsible of both cyber-crime attacks and targeted espionage campaigns against governments. ## Indicator of Compromise ----- Malspam INQUIRY FOR Engine Requisition: Spare parts: Valves: Cylinder etc “Mark Van Schaick Marine” Mark van Schaick Enquiry – Marine Parts, Valve, Cylinder ets..xlsx Mark Van Schaick Company Profile.xlsx “INQUIRY MJ1409-FWS-FBR-61 / 18092867Q1/ MARINE PARTS” “Cherry dan” Engine_9463.xlsx List of order spares parts.xlsx Company Profile.pdf lord.vivawebhost[.com mail.dbweb[.se Dropurl http://apexmetalelektrik[.com/js/jquery/ui/jquery/file/alor/GEqy87.exe C2 secureserver.marinelectricsystems[.com:4783 safebridge.marinelectricsystems[.com:4783 neumeistermcntrade[.ddns[.net:4783 mcntradeandreas.ddns[.net:4783 79.172.242[.87:4783 Hash a42bb4900131144aaee16d1235a22ab6d5af43407a383c3d17568dc7cfe10e64 xlsx 3b5bd3d99f1192adc438fb05ab751330d871f6ebb5c22291887b007eaefbfe7b pdf 1aa066e4bcc018762554428297aa734302cfbb30fef02c0382f35b37b7524a4a exe -----