One of the most frequently used methods for the distribution of malware is using phishing e-mails. The ASEC analysis team has introduced specific phishing attacks as well as the types of phishing e-mails in previous blog posts.
Similar to the previous cases, the team has found a phishing e-mail that aims to leak Daum account credentials. Considering that the e-mail has a specific university set as its sender and recipient (see Figure 1), it appears that it was written to collect the account credentials of a specific target.
The e-mail disguises itself as a purchase order and tricks the user into running the attached HTML and enter their account credentials. The page on the left of the figure below is displayed when the attached HTML script is run. There is a clear difference when compared to the normal screen on the right, but it can be easily mistaken as a normal page when running the script without a second thought.
When the user enters the user ID and the password and clicks the login button, user credentials are leaked to a certain address. The leaked ID and the password as well as the country of access and the access time are saved to the server that had been built by the attacker as shown below.
- Info-leaking URL: hxxps://bo***ken**[.]com/start/startup/setup/dkuboinsd.php
- Collected information upload URL: hxxps://bo***ken**[.]com/start/startup/setup/name.txt
As shown above, even in cases of e-mails from a seemingly reliable sender, users must take extra caution when opening an attachment or an internal URL. Also, V3 should be updated to the latest version to prevent malware infection firsthand. AhnLab’s anti-malware solutions detect and block the script files above using the following alias.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.