ASEC Weekly Phishing Email Threat Trends (March 26th, 2023 – April 1st, 2023)

AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from March 26th, 2023 to April 1st, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act is a technical subterfuge that enables the threat actor to perform attacks such as information leaks, malware distribution, and fraud against various targets. The focus of this post will be on the fact that phishing attacks mainly occur through emails. We will also provide a detailed classification of various attack methods that are based on phishing emails. Furthermore, we will make an effort to minimize user damage by introducing new attack types that have never been found before and emails that require users’ caution, along with their keywords. The phishing emails covered in this post will only be those that have attachments. Emails that have malicious links in the body without attachments will be excluded.

Phishing Emails

During this week, the most prevalent threat type seen in phishing email attachments was FakePage with 59%. FakePages are web pages where the threat actor has imitated the screen layout, logo, and font of the real login pages or advertising pages, leading users to enter their account and password information. The input information is sent to the threat actor’s C2 server or used to induce users to access other fake websites. See <FakePage C2> below The second most prevalent threat type was Downloader (22%), which includes loaders such as SmokeLoader and GuLoader. It was then followed by Infostealers (7%) like AgentTesla and FormBook that leak user credentials saved in web browsers, emails, and FTP clients. Aside from those mentioned above, Backdoor (4%) with Infostealer activities and downloading additional malware, Worm (4%), and Trojan (3%) were detected.  The threat types using phishing email attachments and their order of prevalence are similar to the order of malware distribution published weekly in the <ASEC Weekly Malware Statistics>.

File Extensions in Phishing Emails

We have identified which file extensions were used by the threats above for the distribution of email attachments. FakePages were distributed through web pages script (HTML, HTM, SHTML) documents that must be executed with a web browser. Other malware, including Infostealer and downloader, came attached to emails with various file extensions including compressed files (ZIP, 7Z, GZ, etc.), IMG disk image files, and DOCX document files. 

Cases of Distribution

The following are distribution cases that occurred during the week from March 26th, 2023 to April 1st, 2023. The cases will be classified into FakePage and malware types, including Infostealer, Downloader, Exploit, and Backdoor. The numbers in email subjects and attachment filenames are unique IDs and may vary depending on the email recipient. Distribution cases with Korean subjects were also found. These are cases that specifically targeted Korean users instead of propagating themselves globally using the identical English subject and text.

Case: FakePage

Email SubjectAttachment
[DHL Express] Notice on Import Tax Payment Deadline – (INV and AWB) ✈ParcelDocumentDHL.htm
Estimate (Order)24_153_IBXX 2307_54210_project order.htm
[FedEx] Guide on Import License.AWB#.SHTML
FedEx Request for activating customer numberAWB#989345874598.html
[** Industry] Request for estimate***** Industrial new order 2023-03-24.html
DHL AWB shipping notice #0861542Original Shipping Doc#GM53726192.pdf.htm
RE: Re: New order price (catalog edited)2023LEDprice.html
Account Suspension (last warning)Update Account.html
All received emails have been deferred.********.com.html
You have received an essential encrypted company emailmessage_790311_832743609.htm
FedEx Shipment Arrival NotificationFedEx Shippingdocs.htm
Attention: Service Suspension (Action Required for ******
Shipment Booking Confirmation – BL Draft is Ready for Review…Doc_20230327-3938.pdf.html
Your parcel has arrived urgent pick up needed today.AWB #8347630147.html
[SEC=OFFICIAL:Sensitive, ACCESS=Personal Data-Privacy]Personal Data-Privacy-SecureMessageAtt.html
There is an important encrypted corporate email you need to readmessage_982155_128090224.htm
Doc signed : Quote Agreement 16 Mar 2023Quotation-No#0381.shtml
Re: Re: [subject line information removed]W-9 Dt
New DHL Shipment Document Arrival Notice / Shipping Documents / Original BL, Invoice & Packing List(DHL) Original BL, PL, CI Copies.htm
Payment CopyPayment Copy.gz
FW:Re:Re: Payment Advice.Proforma Invoice.html
RE: Re: [subject line information removed]form 03.22.2023
You have received an essential encrypted company emailmessage_033902_557044732.htm
An important encrypted corporate email has been sent to
Pending invoice 10026870-1scan_10026870-1.htm
Original invoice customs clearance notification.Original-invoice & PList_admins.htm
EFT Payment-Invoice 0000315: Completed_ Please Review and SignSettlement-Payment-On-Hold.pdf
Your parcel has arrived urgent pick up needed todayShipping_Doc.htm
[DHL] Arrival Notice – Original Shipping Document – 2327821366scan_document.html
FW: RE: WIRE INSTRUCTIONScan_Wire Instruction.PDF.shtml
Pickup Confirmation Wednesday, March 15, 2023 8:6 a.m..Swift_confirmation_copy.PDF.shtml
RFQ- 1309445QUOTATION.pdf
Attached is the remittance advice payment02112022093630.pdf.html
new order(#0034) requestInvoice.html
DHL Parcel Delivery NotificationDetails.shtml
Express Package Delivery NotificationAWB#details.html
There is an important encrypted corporate email you need to read –message_567890_498055656.htm
Purchase Order PB2ED146HB2M-047Purchase Order PB2ED146HB2M-047.html
op****@********* Signed Documente-Signed_Doc_____________op****@*********
An important encrypted corporate email has been sent to
EFT Payment sent On: Wednesday, March 22, 2023 2:53 a.m.pjhh PaymentVocher.shtml
Due_lnvoice__countec.comFriday, March 24, 2023Inv® #PT947234.htm
SF ExpressWaybillDoc_8945655902.html
maito_op****@********* Signed Documente-Signed_Doc_____________maito_op****@*********
Statement of Account*****.com_SOA00424322332_xls.shtml
Fw: Re: [subject line info removed]Electronic form
An important encrypted corporate email has been sent to you –message_381082_213244471.htm
You have received an essential encrypted company emailmessage_924733_817031910.htm
Re: FW: [spoofed sender name]
Payment invoice Bank TransferInvoice#91273.pdf
Re: (Urgent Order) – PO# M01552PO ella RFQ #M01552-PDF.shtml
Re: Fw:Inquiry for 2023 New Products PricesOld
RE: PO.14036987,14038068 shipping documents and payment via DHL (083AB单)payment_doc & shipment#7221HKT.htm
Approved_New_PO0014232023 ******.co.krPO_00140323_Beals_Inc_******
< Re: New voice message from WIRELESS CALLER 15633963052 >voicemail_03232023.htm.
RE: New Invoice Order PaymentNewInvoiceOrderStatement.html
FW: Paymentinvoice sheet.html
Purchase Order (Sales Invoice)PurchaseOrderSheet.html
RE: AMENDED INVOICESProforma Invoice.shtml
Quote us your best offer on the attach order (treat urgently)Purchase#order.html
NEW ORDER- OC#8081013559 PO#3495-1022New order sign invoice for payment.htm
Approved_New_PO0014232023 ********.comPO_00140323_Beals_Inc_********.com.html
Re: Proforma invoiceSwift Remittance.html
Approved_New_PO0014232023 *********.comPO_00140323_Beals_Inc_*********.com.html
You have received an essential encrypted company email – Remote IDSecuredoc_06593415.html
You have received an essential encrypted company email – Remote IDSecuredoc_39067527.html
Approved_New_PO0014232023 ***********.co.krPO_00140323_Beals_Inc_**********
There is an important encrypted corporate email you need to readSecuredoc_93717448.html
You have received an essential encrypted company emailSecuredoc_23992084.html
An important encrypted corporate email has been sent to you –Securedoc_90978661.html
There is an important encrypted corporate email you need to read –Securedoc_67152574.html

Case: Malware (Infostealer, Downloader, etc.)

Email SubjectAttachment
smart picture don’t showmyplp.exe
sexy photossexpctrs.pif
sexy picturessuperplp.gif.scr
super nice images only for yousuper_pctrs.scr
super sexy photo only for yousex_act.scr
super sexy pics don’t showsuper_img.pif
super cool images imortantthe_imgs.scr
super cool picture only for youprivate__plp.jpg.exe
very wonderful picturesmy_plp.gif.scr
very cool picscool-action.gif.exe
RE: RE: RE: RE: Захтев
Purchase order480038_944.r00
Credit note for the month of March 2023- 11005605SOA.MARCH.iso
Borch request# RES_AGB_eroFame_DE_2023
Aw: PAYMENTS30.03.2023_SWIFT MT 103_9078212345TRF.gz
Give your best price on the demandsProducts Needed__________________pif.arj
FW: QUOTE REQUEST FOR SI-22311 II DOC- SI/MUM/2022-30/00307 II New PO# 10344 // CNEENew PO# 10344_CNEE.docx
Fw: Payment Advice – Advice Ref:[A1Xbj7fJ0V7W] /credits / Customer Ref:[BATCHFEB280301] / Second Party Ref:[TRN270323015]Advice.jpg.7z
Fw: RE: RFQ – Gauges and accessoriesRFQ – Gauges and
Fw: RE: URGENT****Our inquiry 23/
Employment Status And Salary Advance..Employment Status And Salary Advance…img
New Scanned document from Kciltd Office PrinterScan_Docs_004521.docx
Successflly Transferred settlement for outsending
Po 106069PO-1060688.z
Payment Advice 564302Payment Advice 564302.docx
Permintaan Informasi HargaRFQ.LM-0107PDF.rar
Price Inquiry – 2851083739801320230331-28510837398013.rar
Price Quotation for P/N: 61092-10SKM7109Y510S.IMG
Price Quotation for P/N: ESP1092-10ESP15903YI0.IMG
RE: A/R Down Payment Request 10285Bank Slip 30% Advance Payment to enable production of the
RE: FedEx Notification of Arrival – AWB# 102235516763FedEx Express AWB#102235516763.rar
RE: PRO-FORMA INVOICE NO-1820Q/2023PI-1820Q.xls
RE: Please Confirm PaymentPayment Copy USD14,
RE: Request For Quote – Urgent !MRSK0052447.IMG
RE: UPDATED SOA4970528.xls
RE:FedEx Notification of Arrival – AWB# 102235516763FedEx Receipt_1022355161763.rar
REVISED -Order 5879024-00/PO 4677/PO 4678PO feb.docx
Re: Order-CHW/U2/SI/22-23/3534Order-CHWU2SI22-233534.xls
Re: super smart picsgreatpctrs.exe
Re:Request for QuotationUPDATED_LIST.7z
Re[3]: wonderful images imortantgreat-photos.gif.pif
Re[3]: super nice images only for youwild__action.jpg.scr
Re[3]: very wonderful photos privatewild-plp.jpg.exe
Re[2]: nice photos only for youpriv__scene.jpg.scr
Re[2]: super smart pics just for youfuck__images.gif.exe
Re[2]: very nice picturegreat__img.jpg.scr
Re[2]: very nice picture imortantbestimgs.scr
Re[4]: very wonderful photosprv_action.exe
Re[5]: nice picture imortantpriv__act.exe
Re[5]: super cool photopriv__action.scr
Re[5]: smart photofuckimages.pif
Re[5]: very nice photosfuck__pctrs.jpg.scr
Rechnung, ausstehende ZahlungRH-0987654345678.Z
Reference NoticeReference Notice_pdf.rar
Request For
Request For Quote #182044-13PO.xls
Request for QuoteRFQ.exe
World Surfaris RemittanceBalance$1,234,000,45-pdf.gz
TOTSA – Request For QuotationRFQ005412.IMG
Urgent OrderProduct Lists2.PDF.img
cool picsprivateaction.pif
beautiful photomyscene.jpg.pif

The ASEC analysis team has selected keywords that users must look out for, based on the distribution cases above. If these keywords are included in the subject of the email, or if the same characteristics are found, users must exercise strict caution as they may be phishing emails from threat actors. 

Keywords to Beware of: ‘PDF Online’   

The keyword for this week is ‘PDF Online.’ A phishing website disguised as ‘PDF Online’ has been distributed recently. The fake webpage was mentioned in the ASEC Weekly Phishing Email Threat Trends uploaded in March 17th. The phishing email was impersonating a Korean company and was written in fluent Korean. As such, it is likely that the email was created with actual leaked content. Such phishing emails are attached with HTML script files. This is a fake page that prompts users to enter their IDs and passwords with the text ‘PDF Online.’ When the users input their account credentials, the information is leaked to the threat actor’s server; thus, the information should not be entered.

  • Phishing URL: https[:]//naturaverdebeauty[.]com/justld/next.php

FakePage C2 URL

When users enter their IDs and passwords on the login pages among the FakePages created by the threat actor, their information is sent to the attacker’s server. The list below shows the threat actor’s C2 addresses of fake login pages distributed during the week.

  • https[:]//formspree[.]io/f/myyazkbv
  • https[:]//neduet[.]hosting[.]acm[.]org/pdf[.]php
  • https[:]//submit-form[.]com/rS8vx7dD
  • https[:]//razarmanagement[.]com/192[.]185[.]224[.]69/,/ue/postdhll[.]php
  • http[:]//ns2[.]wrsc[.]org/sites/all/libraries/elfinder/files/index/kugo/FedExpress[.]php
  • https[:]//formspree[.]io/f/xgebzovk
  • http[:]//tzp[.]com[.]pk/wp-admin/fte[.]php
  • https[:]//archerhall[.]com/wp-admin/Exc/Excell[.]php
  • https[:]//www[.]calvellirappresentanze[.]com/wp-content/plugins/TOPXOH/index/index/1/add[.]php
  • https[:]//escolagirassol[.]com[.]br/dd/ddhl[.]php
  • https[:]//formspree[.]io/f/mdovedpp
  • https[:]//formspree[.]io/f/moqzlyod
  • https[:]//hobbyless-features[.]000webhostapp[.]com/pdf[.]php
  • https[:]//gooddreams[.]co[.]in:/smhh/webapp[.]php
  • https[:]//elhdlwfa2o4[.]sa[.]com/horn/log1234567[.]php
  • https[:]//undebauched-hyphens[.]000webhostapp[.]com/dhlc[.]php
  • https[:]//formspree[.]io/f/moqzllag
  • https[:]//alemadistones[.]com/secure/Citizen/Exo/css/FX/cloudlog[.]php
  • https[:]//submit-form[.]com/NhEAc2e9
  • https[:]//firp[.]governo[.]ao/plauge/vmxll[.]php
  • https[:]//formspree[.]io/f/mdovdokw
  • https[:]//cambiamarcia[.]net/wp-includes/pdf[.]php
  • https[:]//formspree[.]io/f/xnqyzrzj
  • https[:]//www[.]nrwolff[.]com[.]br/wp-admin/maint/bv/mxl[.]php
  • https[:]//qleapinnovations[.]com/peeking/peeking[.]php
  • https[:]//archerhall[.]com/wp-admin/php/pdf[.]php
  • https[:]//izmirlist[.]com//2Ae/jotform[.]php
  • https[:]//naturaverdebeauty[.]com/justld/next[.]php

Attacks using phishing emails are disguised with content that can easily deceive users, such as invoices and tax payments, to induce users to access fake login pages or execute malware. Fake login pages are evolving by the second to closely resemble the original pages. The attackers pack malware in compressed file formats to escape the attachment scans of users’ security products. Users must practice strict caution and refer to recent cases of distribution to avoid being exposed to infection by malicious phishing emails. The ASEC analysis team recommends users follow the email security guidelines below. 

  • Do not execute links and attachments in emails from unverified senders until they are proven to be credible.


  • Do not enter sensitive information such as login account credentials until the site is found to be reliable. 


  • Do not execute attachments with unfamiliar file extensions until they are found to be reliable.


  • Use security products such as antimalware software.

According to the MITRE ATT&CK framework, phishing email attacks correspond to the following techniques.

  • Phishing for Information (Reconnaissance, ID: T1598[1])


  • Phishing (Initial Access, ID: TI1566[2])


  • Internal Spearphishing (Lateral Movement, ID: T1534[3])

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

2 1 vote
Article Rating
Notify of

1 Comment
Inline Feedbacks
View all comments