ASEC Weekly Phishing Email Threat Trends (November 13th, 2022 – November 19th, 2022 )

The ASEC analysis team monitors phishing email threats with the ASEC automatic analysis system (RAPIT) and Honeypot. This post will cover the cases of distribution of phishing emails during the week from November 13th, 2022 to November 19th, 2022 and provide statistical information on each type. Additionally, we will introduce new types that were not detected before as well as emails to be cautious of with keywords to minimize harm to users. The phishing emails covered in this post will only be those that have attachments. Emails that have malicious links in the body without attachments will be excluded.

Phishing Emails

During this week, the most prevalent threat type seen in phishing email attachments was Infostealer (29%). Infostealer includes AgentTesla and FormBook, where it steals user credentials saved in web browsers, emails, and FTP clients.

Then, it was followed by downloader (28%), which includes loaders such as SmokeLoader and GuLoader, and then by fake login pages (FakePage, 26%). Fake login pages are web pages where the threat actor has imitated the screen layout, logo, and font of the real website, leading users to enter their account and password information. The input information is sent to the threat actor’s C2 server.Refer to <Fake Login Page C2> below

Aside from these, Trojan (8%), Backdoor (5%), Worm (2%), and Exploit (2%) types were detected. The threat types using phishing email attachments and their order of prevalence are similar to the order of malware distribution published weekly in the <ASEC Weekly Malware Statistics>. This shows us that phishing emails (ID: T1566[1]) used in the attack’s initial access (ID: TA0001[2]) affects the overall malware distribution.

File Extensions in Phishing Emails

We have checked which file extensions were used by the threats above for the distribution of email attachments. As fake login pages are web page scripts that must be executed with a web browser, they were distributed with HTML, SHTML, and HTM file extensions. Other malware, including Infostealer and downloader, came attached to emails with various file extensions including compressed files (ZIP, R00, GZ, RAR, XZ, etc.), IMG disk image files, and XLS document files. With the exception of fake login pages which have to be web page script files, other malware were distributed with a variety of file extensions regardless of the threat type.

Cases of Distribution

The following are distribution cases that occurred during the week from November 13th, 2022 to November 19, 2022. The cases will be classified into fake login pages and malware types, including Infostealer, Downloader, Exploit, and Backdoor. The numbers that appear on email subjects and in the attachment file names are generally unique ID values, and they can differ according to the email recipient. Distribution cases with Korean subjects were also found; These are cases that specifically targeted Korean users instead of propagating themselves globally using the same English subject and text.

Case: Fake Login Pages (FakePage)

Email Subject Attachment
4_Payment Copy Payment Copy.html
DHL COPY_20221117_0713.eml SHIPMENT.html
FW overdue payments. overdue payments.html
Fw SWIFT TELEX TRANSFER NOTIFICATION for jennifer.villanueva SWIFT TELEX TRANSFER FX FOR -jennifer.villanueva.html
INVOICE_20221115_2354.eml INVOICE.html
Order for Mesh trays ORDER.html
PO PT. KTI (RFQ) 13.11.2022 PO_List(18)_pdf.htm
RE TW -WIRE TRANFER-088408 Balance payment for invoice.shtml
Re Wire Confirmation Wire transfer.htm
RE [External] Wire Confirmation wire swift copy.htm
You have received Business 3 documents in folder shared with you!! Dropbox.Html

Case: Malware (Infostealer, Downloader, etc.)

Email Subject Attachments
nquiry bill and purchase order number. #1ZBL2D Inquiry #140220.pdf.UUE
Dhl Express Shipping_Original_Document CH_O_120795439441.PDF.BZ2
Due Reminder_ OCC_DUNNING_ID00534996 MAERSK DUNNING OCC_10465702945_3761230191.Gz
Entrega a pedido de DHL documentos DHL.img
Fw URGENT Invoice_72_142 DOC Reference invoice_72_1421.rar
Fwd Invoice Invoice_0014112022.jpeg.img
invoice 80022# – international offshore services jsc INV-80022.xls
Payment Advice – Ref: [HSBC1057029141] /RFQ Priority Payment / Customer Ref: [PI10771QT90] HSBC Payment Advice_pdf.xz
Pepsico LLC RFQ P1002518 Pepsico LLC RFQ Information.IMG
Re Order Sales Order Quotation_20221115_145947.img
RE pedido de muestras de productos pedido de muestras de productos pdf.exe.xz
Re Quotation Quotation UBG361Q.img
Re: Inquiry 1069820220531MES_S Quote.img
Re: Wire Confirmation and Invoice questions Wire Confirmation New Order and Invoice.PDF.GZ
RE:RFQ_Lenz Global Imports Inc RERFQ_Lenz Global Imports InR-000c PDF.r00
Re[4]: smart photo wildphot.pif
RFQ rfqtxls.rar
RFQ_Lenz Global Imports Inc RFQ+Lenz Global Imports IncPDF.r00
RFQ1000AQMM General Trading LLC.pdf (RFQ1000AQMM General Trading LLC.pdf.r01
TT/COPY_18112022 18112022TTcopy.rar

The ASEC analysis team has selected keywords that users must look out for, based on the distribution cases above. If these keywords are included in the subject of the email, or if the same characteristics are found, users must exercise strict caution as they may be phishing emails from threat actors.

Keyword to Beware of: ‘Payment Copy

This was included in Korean email subjects, where the sender was masquerading as an employee of a company. It attempted to deceive users with content about a ‘payment copy’ and was attached with a fake login page, “Payment Copy.html”. When the attachment is executed, a page is loaded and prompted the user to log in to their mailbox to view the Excel file online.

Keyword to Beware of: Uncommon File Extensions (‘UUE’, ‘R00’, ‘XZ’, ‘BZ2’) on Attachments

Malware were also distributed as compressed files with quite uncommon file extensions such as ‘UUE’, ‘R00’, ‘XZ’, and ‘BZ2’. The case below shows an attachment with the UUE file extension with the filename, “Inquiry #140220.pdf.UUE”. This UUE file is actually a RAR compressed file and includes a malicious EXE executable. The executable inside is AgentTesla, a type of Infostealer.

Fake Login Page (FakePage) C2 URL

If a user enters their account and password into the fake login page created by the threat actor, the information is sent to the threat actor’s server. The list below shows the threat actor’s C2 addresses of fake login pages distributed during the week.

  • hxxps://
  • hxxps://
  • hxxps://
  • hxxp://
  • hxxps://
  • hxxps://
  • hxxps://
  • hxxps://

Preventing Phishing Email Attacks

Attacks using phishing emails are disguised with content that can easily deceive users, such as invoices and tax payments, to induce users to access fake login pages or execute malware. FakePages are evolving more over time to closely resemble the original pages. Malware are packed into compressed file formats, bypassing the attachment scans of security software. Users must practice strict caution and refer to recent cases of distribution to avoid being exposed to infection by malicious phishing emails. The ASEC analysis team advises the following email security measures.

  • Links or attachments in emails from unverified senders must not be executed until proven to be credible.
  • Sensitive information such as login account credentials must not be entered until the place of input can be trusted.
  • Attachments with unfamiliar file extensions must not be executed until they can be trusted.
  • Security products including antivirus software must be used.

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.


Tagged as:

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments