MARITIME CYBER ALERT: A New Phishing Campaign Targets Shipping Companies

Maritime Cyber Alert

We would like to bring to your attention a new malicious phishing campaign that was discovered recently. The campaign uses compromised legitimate email accounts belonging to transportation and shipping companies and vendors to inject malicious content into existing email conversations. Specifically, compromised emails from the following logistics software companies have been identified: Samsara, AMB Logistic, and Astra TMS.

 

Why this is a high risk

After using legitimate (but compromised) email addresses, the attackers may use legitimate software that’s in common use by maritime companies to inject information stealers or trojans. For example, they were found to leverage phishing emails to manipulate NetSupport – a legitimate IT remote access tool – to covertly install malicious code on target devices.

Other information stealers and remote access trojans (RATs) installed by this campaign:

  • Lumma Stealer
  • StealC
  • DanaBot
  • Arechclient2

 

Infection Methods

  • The attackers have been impersonating emails from companies like Samsara, AMB Logistic, and Astra TMS, which provide software used in transport and fleet operations management.
  •  The phishing emails often contain internet shortcut (.URL) attachments or Google Drive URLs that also lead to a .URL file. When opened, these files use Server Message Block (SMB) to discreetly download malware from a remote server.
  •  From August 2024 the attackers began using a new tactic called ClickFix to trick victims into downloading the DanaBot malware under the pretext of addressing an issue with displaying document content in the web browser, urging users to copy and paste a Base64-encoded PowerShell script into the terminal, thereby triggering the infection process.

 

How to Defend

  • Check that your network detection solution is updated for such threats. Cydome system users – the Cydome research team is monitoring the relevant indicators and updates the protection to generate an alert in case of a detected attack.
  • Be vigilant for phishing emails, especially from Samsara, AMB Logistic, and Astra TMS, and from emails containing URLs, pdf’s etc.
  • Update awareness with a phishing drill for the entire company and crews.
  • Update your antivirus/endpoint protection for onboard assets with the latest signatures.

 

Cydome is committed to continuously researching and ensuring your defense is updated with the latest trends. For more information, please contact our cyber research team.

You are invited to leave your details and book a session with our expert.
share the article
Skip to content