ASEC (AhnLab Security Emergency response Center) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from February 19th, 2023 to February 25th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act is a technical subterfuge that enables the threat actor to perform attacks such as information leaks, malware distribution, and fraud against various targets. The focus of this post will be on the fact that phishing attacks mainly occur through emails. We will also provide a detailed classification of various attack methods that are based on phishing emails. Furthermore, we will make an effort to minimize user damage by introducing new attack types that have never been found before and emails that require users’ caution, along with their keywords. The phishing emails covered in this post will only be those that have attachments. Emails that have malicious links in the body without attachments will be excluded.
During this week, the most prevalent threat type seen in phishing email attachments was FakePage, taking up 68%. FakePages are web pages where the threat actor has imitated the screen layout, logo, and font of the real login pages or advertising pages, leading users to enter their account and password information. The input information is sent to the threat actor’s C2 server or used to induce users to access other fake websites. See <FakePage C2> below It was then followed by Infostealer, which took up 26%. Infostealer includes malware such as AgentTesla and FormBook, and they leak user credentials saved in web browsers, emails, and FTP clients. The third threat was followed by downloader (9%), which includes loaders such as SmokeLoader and GuLoader. Aside from these, Trojan (9%), Exploit (2%), and Worm (1%) types were detected. The threat types using phishing email attachments and their order of prevalence are similar to the order of malware distribution published weekly in the <ASEC Weekly Malware Statistics>.
File Extensions in Phishing Emails
We have identified which file extensions were used by the threats above for the distribution of email attachments. Some things to note for the phishing email attachments this week are the various compress file extensions that were used to hide malware. A total of 11 different types of extensions were used: ZIP, R00, RAR, R01, R17, GZ, DAA, XZ, Z, ACE, and LZH. As for FakePages, they were distributed with web pages scripts (HTML, HTM, SHTML) that must be executed with a web browser. Other malware, including Infostealer and downloader, came attached to emails with various file extensions including compressed files (ZIP, R00, RAR), IMG disk image files, DOCX, and PDF document files.
Cases of Distribution
The following are distribution cases that occurred during the week from February 19th, 2023 to February 25th, 2023. The cases will be classified into fake login pages and malware types, including Infostealer, Downloader, Exploit, and Backdoor. The numbers in email subjects and attachment filenames are unique IDs and may vary depending on the email recipient. Distribution cases with Korean subjects were also found. These are cases that specifically targeted Korean users instead of propagating themselves globally using the identical English subject and text.
|Scan Data from FX-1C7D2_16thFeb23||Scan Data from FX-1C7D2_16thFeb23.PDF|
|Advice on attach payment copy||HSBC WIRE PAYMENT.shtml|
|Fwd: Paid Outstanding Invoice||Paid Oustandingt.shtml|
|Original invoice customs clearance notification.||Original-invoice_jgj.htm|
|TNT – AWB 04592648||04592648.shtml|
|Original invoice customs clearance notice!!!||Original-invoice & PList_khkim1.htm|
|[FedEx] Notice on Import Tax Payment Deadline – (INV and AWB)||FedExDocument.html|
|Payment receipt On: Thursday, February 23, 2023 4:48 a.m.||Payment copy.pdf.html|
|[FedEx] Arrival Notice-Original Delivery Document||Shipping_Invoice.xls.htm|
|Order – PO2211000091||Order – PO2211000091.htm|
|Original invoice customs clearance notification||Original-invoice & PList_bonhogu.htm|
|P23-0164||Purchase Order P23-0164.html|
|INV+PYMNT+PO 546890||INV+PYMENT+PO 9878 .HTML|
|BD 51 & SISAMO X STS OPERATION – SHINAS ANCHORAGE SHIPMENT||BD 51 SISAMO X STS OPERATION – SHINAS ANCHORAGE SHIPMENT.htm|
|Original Shipping Cargo – Proforma_Invoice/BL/Packing List||INV-2372-Shipping_documents-CERT-_BL_23072_PL-pdf.htm|
|Scan Data from FX-1C7D2_170223||Scan Data from FX-1C7D2_172022.PDF|
|*DHL* e-Secure – Request of Your Correct Shipping Info For Your Pending Parcel***||Consignment.htm|
|รายการ RFQ และตัวอย่าง||RFQ-2023.shtml|
|Hrt–0926381 Estimate||Hrt–0926381 Estimate-PDF.shtml|
|Lembrete de vencimento! – Pedido: 35306||Truefriend Remittance.htm|
|SWIFT Payment has been scheduled to beneficiary on 06 FEB 2023||invoice sheet.html|
|New Order||New Order.pdf|
|Sports equipments inquiry# 82100694||MAIL-20230216256_82100694.pdf|
|FW: SHIPMENT ADVISE – ORIGINAL SCAN DOCUMENTS?||(DHL)Original BL,PL,CI_AWB#202207.pdf.htm|
|DHL Shipping Document/Invoice Receipt||Original_Shipping_DOC#AWB.html|
|DHL Shipment Notification||DHL–Express.html|
|All received emails have been deferred.||h******b.com.html|
|AWB – DISPATCH DOCUMENT||DOCUMENTOS INV AWB#.html|
|Mailbox Quota Exceeded Thursday, February 23, 2023 5:5 a.m.||Mailbox Storage Guide .html|
|Invoice Payment Processed:3015387043?||Order.html|
|Eu***Tech-Purchase Order Sending||PO-20023-****TECH.PDF.html|
|Hrt–0627286 Estimate||Hrt–0627286 Estimate.shtml|
Case: Malware (Infostealer, Downloader, etc.)
|Re: very smart picture imortant||priv_photos.gif.exe|
|Hello. I am ***Hoon Cho, a researcher emceeing the first session of the Korean International **** Association Academic Conference.||[Attachment] Profile Template.doc|
|Shipping Documents||BL Draft and Shipping Documents.zip|
|New Quotations Request!||New Quotations Request.zip|
|LEGAL ACTION / LONG OVERDUE INVOICE||DETAILS AND INVOICES 1.IMG|
|NEW PO-5420918701_2023||NEW PO-5420918701_2023.gz|
|LISTED MATERIALS NEEDED||MATERIALS NEEDED.7z|
|JANUARY STATEMENT OF ACCOUNT||swift copy $68,000.00.zip|
|RE:FedEx Notification of Arrival – AWB# 102235516763||FedEx Express_ AWB# 102235516763.rar|
|Purchase Order for CNA 98%.||PO 144 AAA.gz|
|INTRODUCTION AND CATALOGUE OF TECHNOMED INDIA//||2023 KOINAMED CATALOGUE.pdf.z|
|Re: Re: Re: Re: New order||Order specification.exe|
|Proof of transfer||dokazouplati.rar|
|RE: DDP AIR IMPORT FROM LHR-AMD||H-GB3001051.zip|
|Re: Re: Over due payment for optical@*******solution.co.kr||Agreement,Invoice&SwiftCopy.zip|
|Payment||Bank Payment & ORDER CONFIRMATION.img|
|DAMAGE GOODS/SETTLEMNET||DAMAGE GOODS.rar|
|## New Order||## New Oreder_Pdf.gz|
|Payment Advice – Advice Ref:||Payment Advice.xls|
|Urgent offer – Include freight price to – (Northern Orange county, Califonia)||29744012.IMG|
|Payment information||US$16,082.10 Swift.docx|
|Lanieta Tuilakepa From Baklay Groups||Quotation & Sample designs.docx|
|Re: Re: invoice payment application||Re invoice payment2242023-pdf.gz|
|In arrears for 02-21-2023 # 7152607539||PO#47360.url|
|Allaire Project -RFQ-FA2232023||Allaire Project -RFQ-FA2232023.rar|
|funds for all inv. settled||SKM20230216_$55580.88USD.ace|
|Request for Quotation||ENQUIRY.IMG|
|RE: TDK ORDERS 05.02.2023 (IMPORT)||TDK AEGPO-000664-22-23.rar|
|RE: CL/140/2023//: Customs Clearance ///// BL_CI #SHIPPING – ATTENTION||BL_CL-2838374_3494432_Docx.XZ|
|TR: DEMANDE DE SWIFTS (SWIFT REQUEST)||DEMANDE DE SWIFTS (SWIFT REQUEST).rar|
|MV INLACO ACCORD / ETA: 20TH FEB ++ AGENT NOMINATION||DISCHG.IMG|
|Re:Reservation for Honeymoon||Reservas Details.docx|
|Fwd: New Order – Feb 2023||Inquiry.zip|
|PO NO 0023||PO NO 0023.zip|
|QUOTATION REQUEST – 22 / 02 / 2023 – 0025||5523-7767.doc|
|Send us your quotation ASAP||KOC2201123.rar|
|RE:FedEx Notification of Arrival – AWB# 102235516763; Need PIB documentations||FedEx Express_1022355160763.rar|
|23190 CARI HESAP MUTABAKAT||HESAP.GZ|
|NS-chevron Malaysia – quotation request||Details specicafitions.rar|
|Caixa Confirming facturas||1082300000832.rar|
|Invoice awaiting payment for 02-21-2023 # 1592189930||PO#38341.url|
|Re: Payment for Ps64756DS45||Payment_Ps64756DS45.rar|
|Your DHL Parcel Just Arrived||INVBL.IMG|
|Re: Re: Fwd: RE: Sending Groupware PC Messenger Installation File and Request to Measure Internet Speed in Pune||KYC_AJ35(Feb15).one|
|PAYMENT SLIP /BREAK UP||$40778.doc|
|very cool picture PRIVATE||the-pic.jpg.exe|
|DHL Waybill – 4274103106||AME2669480075.html|
|NEW JOURNEY – PRICE INQUIRY||INQUIRY.IMG|
|Fwd: PO||interflux 230101.docx|
|ORDER INVOICE||ORDER INVOICE.zip|
|Approved Purchase Order||Purchase Order,xlsx.zip|
|Eccentric Plug valve Technical DataSheet||Technical DataSheet.iso|
|REVISED -Order 5879024-00/PO 4677/PO 4678||PO feb.docx|
|RE: PO/ POLYESTER PROGRAM WITH CROSS WEAR for SPORTY , SPRINT and STORM||PI 1010225.xls|
The ASEC analysis team has selected keywords that users must look out for, based on the distribution cases above. If these keywords are included in the subject of the email, or if the same characteristics are found, users must exercise strict caution as they may be phishing emails from threat actors.
Keywords to Beware of: ‘Quotation’ and ‘Purchase Order’
The keywords for this week are ‘Quotation’ and ‘Purchase Order’. The threat actor impersonated Korean companies when distributing phishing emails. The body of the email is actually used by the impersonated company, and it seems that the threat actor obtained this through the affected company or leaked email accounts. A web page script (HTML) file is attached to the email. This HTML file is a fake page disguised as Microsoft Excel, and the information entered by the user is sent to the operator’s server. All of the disguised emails below distribute the same HTML file, and the threat actor’s server is as follows.
Upon receiving such emails, users must immediately report to AhnLab with said email and be cautious of user account leakage.
FakePage C2 URL
When users enter their IDs and passwords on the login pages among the FakePages created by the threat actor, their information is sent to the attacker’s server. The list below shows the threat actor’s C2 addresses of fake login pages distributed during the week.
Attacks using phishing emails are disguised with content that can easily deceive users, such as invoices and tax payments, to induce users to access fake login pages or execute malware. Fake login pages are evolving by the second to closely resemble the original pages. The attackers pack malware in compressed file formats to escape the attachment scans of users’ security products. Users must practice strict caution and refer to recent cases of distribution to avoid being exposed to infection by malicious phishing emails. The ASEC analysis team recommends users follow the email security guidelines below.
- Do not execute links and attachments in emails from unverified senders until they are proven to be credible.
- Do not enter sensitive information such as login account credentials until the site is found to be reliable.
- Do not execute attachments with unfamiliar file extensions until they are found to be reliable.
- Use security products such as antimalware software.
According to the MITRE ATT&CK framework, phishing email attacks correspond to the following techniques.
- Phishing for Information (Reconnaissance, ID: T1598)
- Phishing (Initial Access, ID: TI1566)
- Internal Spearphishing (Lateral Movement, ID:T1534)
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.