Beware of Phishing Emails Disguised as Project Proposals

Beware of Phishing Emails Disguised as Project Proposals

The AhnLab SEcurity intelligence Center (ASEC) recently confirmed that phishing emails disguised as project proposals are being circulated. The body of the email pretends to request that the proposal and confirmed delivery schedule be submitted as soon as possible, and prompts the recipient to download the attached compressed file.

 

[Figure 1] Phishing email body

 

When a user downloads and decompresses the attached compressed file, they will find JS malware disguised as a proposal, as shown in [Figure 2].

 

[Figure 2] Compressed file

 

When executed, the JavaScript malware executes PowerShell commands as shown in [Figure 4]. The PowerShell script receives encrypted SnakeKeylogger data as an argument from within the JavaScript file, decrypts it, and executes it in memory without saving it to disk.

 

[Figure 3] Part of the obfuscated JavaScript malware

[Figure 4] Part of the obfuscated PowerShell script

 

Once executed, SnakeKeylogger—an Infostealer—collects various types of information from the infected system, such as web browser data, system information, and keylogging data, and transmits it externally through SMTP or Telegram. The C2 server information used is as follows.

 

SnakeKeylogger C2

  • Mail Server: mail.Trimnt[.]Com
  • ID: nova3@mnt[.]Com
  • Email To: keishstanford5@gmail[.]Com

 

[Figure 5] SnakeKeylogger malware Main

 

Response Guide

 

1. Verify the Sender

  • Verify that the sender’s email address uses an official domain.

 

2. Check Hyperlinks and Attachments

  • If the email body contains an image that prompts you to click on it, check the linked URL first before clicking. Suspicious URLs often redirect to legitimate pages via third-party sites rather than directly from official pages, so examine them carefully. Additionally, if there are attachments, check for suspicious file extensions (.Exe, .Vbs, .Js, etc.).

 

3. Be Cautious When Entering Sensitive Information

  • If you are asked to provide sensitive information, such as login credentials, always verify that the page’s URL is that of the official site before entering any information. If the page is not official, it is highly likely to be a suspicious URL, so caution is required. In particular, check the page’s security certification (HTTPS, padlock icon) before entering sensitive information, and never enter any information if you have any doubts.

MD5

0cbfcc3573399368a2a9abcfa42af134

Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.