The ASEC analysis team monitors phishing email threats with the ASEC automatic analysis system (RAPIT) and Honeypot. This post will cover the cases of distribution of phishing emails during the week from November 13th, 2022 to November 19th, 2022 and provide statistical information on each type. Additionally, we will introduce new types that were not detected before as well as emails to be cautious of with keywords to minimize harm to users. The phishing emails covered in this post will only be those that have attachments. Emails that have malicious links in the body without attachments will be excluded.
During this week, the most prevalent threat type seen in phishing email attachments was Infostealer (29%). Infostealer includes AgentTesla and FormBook, where it steals user credentials saved in web browsers, emails, and FTP clients.
Then, it was followed by downloader (28%), which includes loaders such as SmokeLoader and GuLoader, and then by fake login pages (FakePage, 26%). Fake login pages are web pages where the threat actor has imitated the screen layout, logo, and font of the real website, leading users to enter their account and password information. The input information is sent to the threat actor’s C2 server.Refer to <Fake Login Page C2> below
Aside from these, Trojan (8%), Backdoor (5%), Worm (2%), and Exploit (2%) types were detected. The threat types using phishing email attachments and their order of prevalence are similar to the order of malware distribution published weekly in the <ASEC Weekly Malware Statistics>. This shows us that phishing emails (ID: T1566) used in the attack’s initial access (ID: TA0001) affects the overall malware distribution.
File Extensions in Phishing Emails
We have checked which file extensions were used by the threats above for the distribution of email attachments. As fake login pages are web page scripts that must be executed with a web browser, they were distributed with HTML, SHTML, and HTM file extensions. Other malware, including Infostealer and downloader, came attached to emails with various file extensions including compressed files (ZIP, R00, GZ, RAR, XZ, etc.), IMG disk image files, and XLS document files. With the exception of fake login pages which have to be web page script files, other malware were distributed with a variety of file extensions regardless of the threat type.
Cases of Distribution
The following are distribution cases that occurred during the week from November 13th, 2022 to November 19, 2022. The cases will be classified into fake login pages and malware types, including Infostealer, Downloader, Exploit, and Backdoor. The numbers that appear on email subjects and in the attachment file names are generally unique ID values, and they can differ according to the email recipient. Distribution cases with Korean subjects were also found; These are cases that specifically targeted Korean users instead of propagating themselves globally using the same English subject and text.
Case: Fake Login Pages (FakePage)
|4_Payment Copy||Payment Copy.html|
|FW NEW ORDER AND VENDOR FORM WITH CONTRACT||VENDOR FORM-INVOICE.shtml|
|FW overdue payments.||overdue payments.html|
|Fw SWIFT TELEX TRANSFER NOTIFICATION for jennifer.villanueva||SWIFT TELEX TRANSFER FX FOR -jennifer.villanueva.html|
|Order for Mesh trays||ORDER.html|
|PO PT. KTI (RFQ) 13.11.2022||PO_List(18)_pdf.htm|
|RE TW -WIRE TRANFER-088408||Balance payment for invoice.shtml|
|Re Wire Confirmation||Wire transfer.htm|
|RE [External] Wire Confirmation||wire swift copy.htm|
|TR DEVIS + FACTURE 14 Nov 2022||DEVIS+FACTURE.shtml|
|You have received Business 3 documents in folder shared with you!!||Dropbox.Html|
Case: Malware (Infostealer, Downloader, etc.)
|nquiry bill and purchase order number. #1ZBL2D||Inquiry #140220.pdf.UUE|
|DHL CARGO ARRIVAL NOTICE||SHIPPING DOC.zip|
|Dhl Express Shipping_Original_Document||CH_O_120795439441.PDF.BZ2|
|Due Reminder_ OCC_DUNNING_ID00534996 MAERSK||DUNNING OCC_10465702945_3761230191.Gz|
|Entrega a pedido de DHL||documentos DHL.img|
|Fw URGENT Invoice_72_142||DOC Reference invoice_72_1421.rar|
|Fwd: Re: REMITTANCE||REMITTANCE SLIP 042xxxTRF.gz|
|INVOICE 221009 DOCUMENT REVISED SHCIPS||INVOICE 221009.zip|
|invoice 80022# – international offshore services jsc||INV-80022.xls|
|NEW INQUIRY FOR YOUR AVAILABLE PRODUCTS||new inquiry.img|
|Payment Advice – Ref: [HSBC1057029141] /RFQ Priority Payment / Customer Ref: [PI10771QT90]||HSBC Payment Advice_pdf.xz|
|Pepsico LLC RFQ P1002518||Pepsico LLC RFQ Information.IMG|
|Re Order||Sales Order Quotation_20221115_145947.img|
|RE pedido de muestras de productos||pedido de muestras de productos pdf.exe.xz|
|Re Quotation||Quotation UBG361Q.img|
|Re: Inquiry||1069820220531MES_S Quote.img|
|Re: Wire Confirmation and Invoice questions||Wire Confirmation New Order and Invoice.PDF.GZ|
|RE:RFQ_Lenz Global Imports Inc||RERFQ_Lenz Global Imports InR-000c PDF.r00|
|Re: smart photo||wildphot.pif|
|RFQ_Lenz Global Imports Inc||RFQ+Lenz Global Imports IncPDF.r00|
|RFQ1000AQMM General Trading LLC.pdf||(RFQ1000AQMM General Trading LLC.pdf.r01|
The ASEC analysis team has selected keywords that users must look out for, based on the distribution cases above. If these keywords are included in the subject of the email, or if the same characteristics are found, users must exercise strict caution as they may be phishing emails from threat actors.
Keyword to Beware of: ‘Payment Copy‘
This was included in Korean email subjects, where the sender was masquerading as an employee of a company. It attempted to deceive users with content about a ‘payment copy’ and was attached with a fake login page, “Payment Copy.html”. When the attachment is executed, a page is loaded and prompted the user to log in to their mailbox to view the Excel file online.
Keyword to Beware of: Uncommon File Extensions (‘UUE’, ‘R00’, ‘XZ’, ‘BZ2’) on Attachments
Malware were also distributed as compressed files with quite uncommon file extensions such as ‘UUE’, ‘R00’, ‘XZ’, and ‘BZ2’. The case below shows an attachment with the UUE file extension with the filename, “Inquiry #140220.pdf.UUE”. This UUE file is actually a RAR compressed file and includes a malicious EXE executable. The executable inside is AgentTesla, a type of Infostealer.
Fake Login Page (FakePage) C2 URL
If a user enters their account and password into the fake login page created by the threat actor, the information is sent to the threat actor’s server. The list below shows the threat actor’s C2 addresses of fake login pages distributed during the week.
Preventing Phishing Email Attacks
Attacks using phishing emails are disguised with content that can easily deceive users, such as invoices and tax payments, to induce users to access fake login pages or execute malware. FakePages are evolving more over time to closely resemble the original pages. Malware are packed into compressed file formats, bypassing the attachment scans of security software. Users must practice strict caution and refer to recent cases of distribution to avoid being exposed to infection by malicious phishing emails. The ASEC analysis team advises the following email security measures.
- Links or attachments in emails from unverified senders must not be executed until proven to be credible.
- Sensitive information such as login account credentials must not be entered until the place of input can be trusted.
- Attachments with unfamiliar file extensions must not be executed until they can be trusted.
- Security products including antivirus software must be used.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.