The ASEC analysis team introduced ‘phishing websites targeting Korean email service users’ last year May through the TI analysis report and ASEC blog post. The team showed back then how the attackers leaked user credentials targeting users of NAVER WORKS, MAILPLUG, hiworks, Chollian, and Daum.
Files that disguise themselves as company groupware login webpage to leak user account credentials are one of the common phishing types that have been distributed, with slight changes occurring in email title, content, name of the attached file, script code, etc.
Current attackers also disguise their files as the groupware products that Korean users use often, but this time they are using a simpler method of changing the name of the same script file to make it fit for each recipient. The team also found multiple files impersonating NAVER WORKS, hiworks, Microsoft Outlook, and Microsoft SharePoint by using similar script code formats.
The table below shows the name of the files that have been found so far and the date they were discovered. Most of the file names include company names and their types have various formats such as requests for quotation, purchase orders, contracts, and order forms. Among them, the two files are notable in that each changed the company name at least 5 times before they were distributed. Some files exist in VirusTotal Result, but as it was found that they were not detected by other companies at all, it is highly likely that users might mistake them as normal files.
For instance, the files that are distributed may have the same hash but different names, such as ‘** Science_positive request form.htm,’ ‘** Ecotech.htm,’ and ‘** Factory (Inc.) request for quotation.htm’. There have been also cases of script files with different hashes and similar formats being distributed with the same file name. The malicious part of the script will be discussed in more detail in the bottom part of this post.
|File Name||Date||File Name||Date|
(Used an abbreviated form of Purchase Order, P.O)
|December 20th, 2021|
December 22nd, 2021
|** Ecotech.htm||January 26th, 2022|
|** Factory (Inc.) request for quotation.htm||December 24th, 2021||authenticationsharepointazon.htm||January 11th, 2022|
|** Technology (Inc.) (order list.htm||December 28th, 2021||(Inc.) ** Tech (inquiry for quotation).htm||December 20th, 2021|
December 27th, 2021
January 19th, 2022
January 20th, 2022
|** Industry (Inc.) contract.htm||January 4th, 2022||** Science_positive request form.htm||December 17th, 2021|
January 23rd, 2022
|** Industry. (order form).htm||January 19th, 2022||(Inc.) ** request for quotation (20210608).htm||January 14th, 2022|
January 25th, 2022
January 26th, 2022
|DOC Q0017 3509.html||January 24th, 2022||**** Technology (Inc.)(order form).htm||December 29th, 2021|
January 4th, 2022
January 6th, 2022
When you open the HTML file attached in the phishing mail, you will find a login page impersonating one of various groupware as shown below. As it is difficult to distinguish between normal web pages and fake ones, users should take extreme caution.
Comparing the script code of the phishing file with that of NAVER WORKS normal login page in the text editor shows that the script code shown above is added to the bottom part.
The attacker differentiated URLs for leaking account credentials as shown below. It is likely that he or she did so to know which webpage the acquired account credentials were entered. In fact, there have been multiple reports of ngrok.io platform’s domains being used for phishing since last year.
As users might be confused because normal groupware images are used, they should still refrain from entering account credentials in webpages accessed by attached files of emails. If you received a suspicious email and are using the groupware mentioned in that email, it is recommended to check by logging in from the official groupware webpage through the web browser.
You should also update the anti-malware that you use to its latest version.
AhnLab’s anti-malware product, V3, detects and blocks the malicious script files introduced in the post using the aliases below.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.