Overview

AhnLab SEcurity intelligence Center (ASEC) monitors phishing email threats with the automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the first quarter of 2024 (January, February, and March) and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act is a technical subterfuge that enables the threat actor to perform attacks such as information leaks, malware distribution, and fraud against various targets. The focus of this post will be on the fact that phishing attacks mainly occur through emails. We will also provide a detailed classification of various attack methods that are based on phishing emails. Furthermore, we will make an effort to minimize user damage by introducing new attack types that have never been found before and emails that require users’ caution, along with their keywords. The phishing emails covered in this post will only be those that have attachments. Emails that have malicious links in the body without attachments will be excluded.

Statistics

1. Statistic on Attachment Threat Types

In the first quarter of 2024, the most prevalent threat type among phishing email attachments was FakePage (65%). This is the type where threat actors mimic login pages, logos, fonts, and display layouts of advertising pages to create deceptive pages that can lure users into entering their account credentials. Subsequently, the threat actors transmit this information to their C2 servers or lead users to fake sites. The second most common type is Downloader (17%) known as GuLoader which downloads additional malware strains from the C2. The third most prevalent threat type is Infostealer (7%) including AgentTesla, FormBook, and AveMaria which exfiltrate user information saved in web browsers, email clients, and FTP clients.  For other threat types, Trojan (6%) was the most detected, with other identified types being Exploit (3%) and Backdoor (1%). As for trends in comparison to the figures of Q4 2023, the share of FakePage (65%) increased by 15%, Downloader (17%) increased by 5%, and Trojan (6%) decreased by 7%. The percentages of Exploit (3%) and Backdoor (1%) were similar to those of Q4 2023.

2. Statistic on Attachment Extension Types

The most common file extension type for attachments to phishing emails in Q1 2024 was web page scripts (60%), representing documents executed in web browsers (FakePage). The distributed extensions were HTML (41%), SHTML (11%), and HTM (7%). The second most prevalent file extension type was compressed files (Compress, 20%). Upon extraction, these files may contain various malware types, including Infostealers and downloaders. The extensions distributed were 7Z (6%), RAR (5%), and ZIP (2%) in that descending order. Additionally, Images (10%), Documents (10%), and PE (1%) were identified. As for overall trends in comparison to figures of Q4 2023, Script types for the purpose of stealing accounts (fake login pages, 60%) greatly increased by 31%. The percentage of Compress (20%) decreased as a result. For Script (60%) types, compared to the fourth quarter, there was a 19% increase in the HTML extension and a 6% increase in the SHTML extension. For Compress (20%), the 7Z file extension decreased by 7% in comparison to Q4 2023 and ZIP files showed a 2% decrease. In Image (9%), the distribution of ISO extensions decreased by 5%, resulting in a 1% decrease in quantity relative to the total, while the IMG extension showed a trend of increasing by 3%.