Multiple malicious emails with the title ‘Request for Purchase Order’ are being distributed to multiple companies. These spam mail attacks, which were first distributed in the second half of last year to random companies with the purpose of stealing user account, are still being distributed. To steal a user’s company email account, the attacker either prompted the users to access a phishing web page, or distributed executable of Lokibot, the info-stealer malware. So far, two titles are found in the malicious emails: ‘Case of Purchase Order’ and ‘Case of Purchase Order (Date).’
Below is an email sent to a press company on January 26.

As shown above, the two HTML pages are attached to the email. These files are identical but have different names, and when either of the pages is run via a browser, the script within redirects the users to a malicious web page. The URL is a phishing web page where the user’s email account information is entered. The attacker used domain services such as dynamics.com and appdomain.cloud to prompt the users to connect to the phishing website. Currently, access to this website is denied.


All the emails titled ‘Request for Purchase Order’ have almost identical content, but malware distributed via each of these emails took various form, not limited to the phishing web page. The following are the emails that were sent to various companies in December last year and January this year. 2 types of emails were found: one with user info-stealer malware Lokibot compressed within cab files, and the other including a link that connects the user to a phishing website without attachment.

The attacker used a random sender address each time when distributing these malicious emails, and attached info of an existing company as a signature at the bottom of the emails to raise credibility. Since it is difficult to determine whether the email is malicious or not just by reading its content, users must be more vigilant than ever when they receive emails.
AhnLab’s anti-malware product V3 blocks user access to malicious phishing web pages of which it is aware. Furthermore, V3 detects malicious executables attached to malicious emails.
[Relevant IoC Info]
hxxp://3ed0f0b3374045c6a070fab2ff5b7cb9.svc.dynamics.com/t/r/9GdzKEPlbJOQ7lLvUCw4HVvEfzi6kDuLh-WBcg-1530
hxxp://74979917813600271.eu-gb.cf.appdomain.cloud
c3d7bc074471fec9ba09563d32ea1661
205d61917224948322a8967b297a0b58
Categories:Malware Information