AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from March 5th, 2023 to March 11th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act is a technical subterfuge that enables the threat actor to perform attacks such as information leaks, malware distribution, and fraud against various targets. The focus of this post will be on the fact that phishing attacks mainly occur through emails. We will also provide a detailed classification of various attack methods that are based on phishing emails. Furthermore, we will make an effort to minimize user damage by introducing new attack types that have never been found before and emails that require users’ caution, along with their keywords. The phishing emails covered in this post will only be those that have attachments. Emails that have malicious links in the body without attachments will be excluded.
Phishing Emails
During this week, the most prevalent threat type seen in phishing email attachments was FakePage with 84%. FakePages are web pages where the threat actor has imitated the screen layout, logo, and font of the real login pages or advertising pages, leading users to enter their account and password information. The input information is sent to the threat actor’s C2 server or used to induce users to access other fake websites. See <FakePage C2> below It was then followed by Trojan (7%) and Infostealers (5%) like AgentTesla and FormBook that leaks user credentials saved in web browsers, emails, and FTP clients. The .NET packer makes up most of Trojan, and this has been introduced in the previous blog post ‘Types of Recent .NET Packers and Their Distribution Trends in Korea‘ as Type 3 ‘VariantCrypter’. Aside from those mentioned above, Worm (2%), Exploit (2%), and Downloader (1%) types were detected. The threat types using phishing email attachments and their order of prevalence are similar to the order of malware distribution published weekly in the <ASEC Weekly Malware Statistics>.
File Extensions in Phishing Emails
We have identified which file extensions were used by the threats above for the distribution of email attachments. FakePages were distributed or web pages script (HTML, HTM, SHTML) documents that must be executed with a web browser. Other malware, including Infostealer and downloader, came attached to emails with various file extensions including compressed files (ZIP, R09, RAR), IMG disk image files, and PDF document files.
Cases of Distribution
The following are distribution cases that occurred during the week from March 5th, 2023 to March 11th, 2023. The cases will be classified into fake login pages and malware types, including Infostealer, Downloader, Exploit, and Backdoor. The numbers in email subjects and attachment filenames are unique IDs and may vary depending on the email recipient. Distribution cases with Korean subjects were also found. These are cases that specifically targeted Korean users instead of propagating themselves globally using the identical English subject and text.
Case: FakePage
| Email Subject | Attachment |
| DHL | Global | express | Transport_Doc_198290018.html |
| Re: PO 1015_INV (Invoice Request) | Invoice Request PO 1015_INV.htm |
| New DHL Shipment Document Arrival Notice / Shipping Documents / Original BL, Invoice & Packing List | (DHL) Original BL, PL, CI Copies.shtml |
| Request_for_Quotation_1294 | Request_For_Quotation_12943928484_Supply.htm |
| FedEx Service Alerts | FedEx_**lee-Original_Document.htm |
| Quotation Request | PO 230310-21A.htm |
| Re: PO 10960 | PO10960 .htm |
| Payment sent On: Wednesday, March 8, 2023 4:17 a.m. | Payment copy.pdf.html |
| New DHL Shipment Document Notice of Arrival / Shipping Documents / Original BL, Invoice & Packing List | (DHL) Original BL, PL, CI Copies.htm |
| Fw: PO 107556 (Invoice Request) | PO 107556Purchase Order .htm |
| You have received an essential encrypted company email – Remote ID | SecureMessageAtt.zip |
| URGENT !!! | Upgrade.html |
| New Order/PO # PUR120449-1 | Order_Inv PO # PUR120449-10.htm |
| Newly posted invoice , PL and BL | Invoice.AWB#84248_pdf.htm |
| countec-sales2 You Have a delievery | copy.AWB #0675854897.htm |
| FW:Payment Confirmation for Open Invoices INV-019358 sent via one-drive | Paid_invoice.html |
| Alerta ScotiaWeb: Comprobante Transaccion exitosa en Scotiabank ANGEL REYES MACARIO (868579) | Comprobante-2023-02-28T151137.308.pdf |
| New Contract N0_938 : PURCHASE ORDER ATTACHED | POrder2023.pdf |
| INQUIRY QT-0023817552 | QT_0023817552.html |
 [DHL] Notice on Import Tax Payment Deadline – (INV and AWB) | DHLParcelShipment.html |
| Quotation QUO91019 | Quote.html |
| DHL TRACKING NUMBER // ORIGINAL SCAN DOCUMENTS // VERIFY BL COPY FOR CHECKING // SHIPMENT ADVISE AGAINST OUR CONTRACT NO- WGCBD-141-21/22 (02X40″ 28LBS/1PLY) | Electronic Form.shtm |
| PO 197496 ( Invoice Request ) | PO_INV 197496 .htm |
| Payment Advice – Advice Ref:[922853603] | payment.html |
| Payment Swift and Invoice | Payment swift and invoice_ copy.shtml |
| OUR COMPANY NEW QUOTATION CONFIRMATION RECEIPT | Remmitance Payment.html |
| New_fax_received_for_wong truefriend | Fax #2046.htm.htm |
| Re: URGENT / Request for Quotation | order specification.shtml |
| FedEx Service Alert. | FedEx_Original_Document.htm |
| DHL Shipping Notification: Please kindly see shipping invoices for payment with delivery | Packing List.htm |
| Re: NEW PO – NH1200/1500 | scanPO.htm |
| PO 10120H5 (Invoice Request) | PO 10120H5 Purchase Order .htm |
| RE: PFI PO 4899 | scan001.htm |
| Re: PO 1015 (Invoice Request) | Purchase Order PO 1015.htm |
| PO#M013123-LTR1 | PO#M013123-LTR1.xls.htm |
| CONFIRMATION RECEIPT | Payment. Copy.html |
| Invoice – INV-00546 | INV-00546.shtml |
| You have received a direct deposit alert! | 83739832283382923893HHDJHSD83387HDSSDSH.xhtml |
| Your parcel has arrived urgent pick up needed today. | parceldelivery.html |
| Your parcel has arrived urgent pick up needed today. | AWB #8347630147.htm |
| Request for Quotation of : Ammunition Vehicle and Howitzer with Standard Tools and Accessories | Ammunition Vehicle and Howitzer.html |
| New Order POH12-FA2306133 | PO H12-FA2306133.html |
| Quotation Request_**테크_20230223 | [G0170-PF3F-23-0223].html |
| Fwd: Fw: Fw: inquiry | New—inquiry.html |
| Request for quotation | New Order.html |
| Payment Confirmation. | USD 63,530.50.pdf |
Case: Malware (Infostealer, Downloader, etc.)
| Email Subject | Attachment |
| Re: Re: RE: anniversary | KYC_HN70(Feb15).one |
| Re[4]: sexy pics | greatimg.gif.scr |
| RE: New Order OZM PO#10391, PO#10392-6 | New Order OZM PO#10391, PO#10392-6.rar |
| RFQ – Automotive Industry – 5 special drawing Item – SOP: 2023-2030 – | RFQ – Automotive Industry.arj |
| Statement 000116057 TORKY SUPPLIES OFFICE | Statement 000116057 TORKY SUPPLIES OFFICE pdf.zip |
| Request | PV285.img |
| cool photo imortant | privatephotos.scr |
| saipan star/CTM USD50000 | USD50000.docx |
| Wire transfer receiot | Receipt.doc |
| RE : PO FOR NEW ORDER ##2029 AND #5811 | order_2023.pdf.GZ |
| Re[5]: super smart photo very important | wild__images.pif |
| RFQ _Draft 08/03/032023 | mSDPG5zv9nN0nP9.zip |
| ST51093Y1 | ST51093Y10.ISO |
| Re: Inquiry | Quote_3500001233.img |
| AW: PO-000001306 | PO-000001306.r09 |
| New Order | NEW PO-4500123380_03062023.zip |
| PO NO.PO03238012, | PO NO.PO03238012,.rar |
| Order-Dated 03-01-2023 | Enquiry2314.xls |
| DHL Notification | DHL Notification_pdf.rar |
| 50% Remittance Advise | Remittance_Advise.xls |
| Re: RFQ # GC-20230203 | RFQ # GC-20230203L.r09 |
| Revised Ghani Value Glass new order – SG Industries 100/24150### | PI WIith Size is 6×5.xls |
| Fwd: Payment Release (GBS LOGISTICS) | UPDATED SOA [REF CF005451] 2223.xls |
| RE: Reminder For Due Payment | Payment Advice 232-52126620A.xls |
| Quotation is Requested | petronas 1.rar |
| LEGAL ACTION ON YOUR COMPANY FOR LONG OVERDUE INVOICE | Overdue.img |
| Informe de pago | pago de la ..factura 11-369013.PDF.img |
| Ref:103XXXXX Shipment of Original Documents. | DHL SHIPMENT NOTIFICATION.r09 |
| super wonderful photos just for you | sex_action.jpg.scr |
| Your DHL Parcel Has Arrived | DHL.zip |
| YOUR EMPLOYMENT STATUS | SALARY RECEIPT.img |
| QUOTATION | 6857b4c0-c3c7-11ed-961c-44a842253043.zip |
| Re: | HT1257299241547541310_202303081211.zip |
| MIME-Version: 1.0 | 266384963218743472978941034.zip |
| Supply of 3DC Project Marterials | 3DC Project Marterials.rar |
| Re[4]: super beautiful photo | bestscene.exe |
| FW: documentos solicitados | Documentos66548864.pdf.img |
| Eccentric Plug valve Technical DataSheet | Technical DataSheet.pdf.iso |
| RE: NUEVA ORDEN DE COMPRA 004799 | ORDEN 004799 ROQUE.IMG |
| beautiful picture | thepctrs.exe |
| smart pictures | thephotos.gif.scr |
The ASEC analysis team has selected keywords that users must look out for, based on the distribution cases above. If these keywords are included in the subject of the email, or if the same characteristics are found, users must exercise strict caution as they may be phishing emails from threat actors.
Keywords to Beware of: ‘PO (Purchase Order)’
The keywords of this week are ‘PO (Purchase Order)’. Generally, when doing business with companies overseas, purchase orders (PO) with a list of purchases are sent. These purchase orders are assigned with numbers for business management. The threat actor impersonated the vendor to send a fake PO number along with a FakePage (HTML) file as an attachment. This file was disguised as a PDF login page and the email requests the user’s account credentials. The phishing page asks for the user’s ID and password with a blurry image of what can be assumed to be an order in the background, but users are advised to not input their ID and password as the information will be leaked to the threat actor’s server.
- Threat actor’s server: hxxps[:]//experiaevents[.]in/italianpay/next.php
Phishing emails using the above server have been distributed to many users, and there have been more than 200 cases of access history to the server during the period from March 8th to March 17th. Although it isn’t certain whether the users’ credentials have been extorted, we assume that the majority of the recipients of the emails have opened the attachment.
FakePage C2 URL
When users enter their IDs and passwords on the login pages among the FakePages created by the threat actor, their information is sent to the attacker’s server. The list below shows the threat actor’s C2 addresses of fake login pages distributed during the week.
- hxxps[:]//experiaevents[.]in/italianpay/next.php
- hxxps[:]//formspree[.]io/f/xdovzjlo
- hxxps[:]//submit-form[.]com/OIIpXOTl
- hxxps[:]//daca[.]hostedwebsitesystem[.]com/vendor/phpunit/phpunit/src/Util/Log/index/index/spam/FedExpress[.]php
- hxxps[:]//formspree[.]io/f/mjvdynwp
- hxxps[:]//formspree[.]io/f/xwkjbjgo
- hxxps[:]//formspree[.]io/f/myyakjqr
- hxxp[:]//martinamilligan[.]co[.]business/ono/fdx[.]php
- hxxps[:]//clinicacarlosgomes[.]med[.]br/wp-admin/kal/fte
- hxxps[:]//formspree[.]io/f/mzbqgqyp
- hxxps[:]//mallarg[.]tk/lp/fte[.]php
- hxxps[:]//seafordrotary[.]org[.]au/Eppdff[.]php
- hxxps[:]//k2-server[.]duckdns[.]org/roundbuk/pdf[.]php
- hxxps[:]//cupertinochiropracticcenter[.]com/index/FedExpress[.]php
- hxxps[:]//zenkoren[.]itigo[.]jp//cgi-bin/123/cloudlog[.]php
- hxxps[:]//huntingfieldlodge[.]com[.]au/Aa/Excel22[.]php
- hxxps[:]//formspree[.]io/f/mnqyznyy
- hxxps[:]//mgffomento[.]com[.]br/wp-admin/dd/postdhll[.]php
- hxxps[:]//holisticfacades[.]com[.]ng/wp-includes/aa/feed[.]php
- hxxps[:]//dissertational-spee[.]000webhostapp[.]com/wp-admin/purchase/pdf[.]php
Attacks using phishing emails are disguised with content that can easily deceive users, such as invoices and tax payments, to induce users to access fake login pages or execute malware. Fake login pages are evolving by the second to closely resemble the original pages. The attackers pack malware in compressed file formats to escape the attachment scans of users’ security products. Users must practice strict caution and refer to recent cases of distribution to avoid being exposed to infection by malicious phishing emails. The ASEC analysis team recommends users follow the email security guidelines below.
- Do not execute links and attachments in emails from unverified senders until they are proven to be credible.
- Do not enter sensitive information such as login account credentials until the site is found to be reliable.
- Do not execute attachments with unfamiliar file extensions until they are found to be reliable.
- Use security products such as antimalware software.
According to the MITRE ATT&CK framework, phishing email attacks correspond to the following techniques.
- Phishing for Information (Reconnaissance, ID: T1598[1])
- Phishing (Initial Access, ID: TI1566[2])
- Internal Spearphishing (Lateral Movement, ID:T1534[3])
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Source: https://asec.ahnlab.com/en/49839/
Views: 0