Emails Impersonating Shipping Companies Distributed as ‘Guide on Submitting Import Clearance Info’

ASEC (AhnLab Security Emergency response Center) has recently discovered malicious emails impersonating shipping companies being distributed in Korea. These emails prompt users to open the attached file with the subject ‘Submitting import clearance info’. Considering that the attached HTML’s filename starts with ‘DHL_Korea’, it can be concluded that the email is being distributed to Korean targets.

Figure 1. Original email

This disguised email has a login page in the attached HTML file. When a user logs in this page, an Excel file uploaded to a personal OneDrive cloud storage account is opened.

Figure 2. Login screen disguised as a shipping company’s page

When a user opens the attached HTML, the login page they are connected to leaks the password they enter to the server below.

Figure 3. Information leak address in the HTML web source

  • Information leak address: hxxps://lucent-fittings.000webhostapp[.]com/action.php    

Figure 4. Excel file that is connected through the OneDrive link

After the user attempts to login, they are directed to an Excel file uploaded to a personal OneDrive cloud storage account. However, the Excel file connected to the link cannot be opened because it exceeds the file size limit. The screen that connects to the Excel file was designed to deceive users, making it difficult for users to immediately realize that they were phished after they entered their account credentials.

Figure 5. Original email of the customs clearance status verification request

Similar to the aforementioned ‘Submitting import clearance info’ phishing email, another email that asks for users’ customs clearance verification status was found. When the attachment is opened, a screen that makes users believe they were connected to a PDF file can be seen. The URL connected to the Open button is currently inaccessible, but it has been confirmed that the GuLoader malware was downloaded when the address could be accessed.

Figure 6. Malicious PDF which downloads additional malware (Open button)

Due to the recent distribution of phishing emails related to import clearance, users must be particularly cautious before entering their account credentials or when opening attached files. Currently, V3 products detect and block the files mentioned in this post using the following aliases.

[File Detection]

  • Phishing/HTML.FakeMS.S2082 (2023.01.19.00)
  • Trojan/PDF.Generic (2023.02.10.02)
  • Trojan/Win.GuLoader.C5379004 (2023.02.11.00)

[Relevant IOC Info]

  • c2b8db7362020b321870e649b05f12fb
  • e49967b8d499bb593cf44026aa79871b
  • 7739ebe59ba934f4887d70e4a4d31d6a
  • hxxps://lucent-fittings.000webhostapp[.]com/action.php
  • hxxp://31.42.184[.]26/PDF.gz

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:

5 1 vote
Article Rating
Notify of

Inline Feedbacks
View all comments