ASEC Weekly Phishing Email Threat Trends (March 26th, 2023 – April 1st, 2023)

AhnLab Security Emergency response Center (ASEC) monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from March 26th, 2023 to April 1st, 2023 and provide statistical information on each type. Generally, phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods. On a broader note, the act is a technical subterfuge that enables the threat actor to perform attacks such as information leaks, malware distribution, and fraud against various targets. The focus of this post will be on the fact that phishing attacks mainly occur through emails. We will also provide a detailed classification of various attack methods that are based on phishing emails. Furthermore, we will make an effort to minimize user damage by introducing new attack types that have never been found before and emails that require users’ caution, along with their keywords. The phishing emails covered in this post will only be those that have attachments. Emails that have malicious links in the body without attachments will be excluded.

Phishing Emails

During this week, the most prevalent threat type seen in phishing email attachments was FakePage with 59%. FakePages are web pages where the threat actor has imitated the screen layout, logo, and font of the real login pages or advertising pages, leading users to enter their account and password information. The input information is sent to the threat actor’s C2 server or used to induce users to access other fake websites. See <FakePage C2> below The second most prevalent threat type was Downloader (22%), which includes loaders such as SmokeLoader and GuLoader. It was then followed by Infostealers (7%) like AgentTesla and FormBook that leak user credentials saved in web browsers, emails, and FTP clients. Aside from those mentioned above, Backdoor (4%) with Infostealer activities and downloading additional malware, Worm (4%), and Trojan (3%) were detected.  The threat types using phishing email attachments and their order of prevalence are similar to the order of malware distribution published weekly in the <ASEC Weekly Malware Statistics>.

File Extensions in Phishing Emails

We have identified which file extensions were used by the threats above for the distribution of email attachments. FakePages were distributed through web pages script (HTML, HTM, SHTML) documents that must be executed with a web browser. Other malware, including Infostealer and downloader, came attached to emails with various file extensions including compressed files (ZIP, 7Z, GZ, etc.), IMG disk image files, and DOCX document files. 

Cases of Distribution

The following are distribution cases that occurred during the week from March 26th, 2023 to April 1st, 2023. The cases will be classified into FakePage and malware types, including Infostealer, Downloader, Exploit, and Backdoor. The numbers in email subjects and attachment filenames are unique IDs and may vary depending on the email recipient. Distribution cases with Korean subjects were also found. These are cases that specifically targeted Korean users instead of propagating themselves globally using the identical English subject and text.

Case: FakePage

Email Subject Attachment
[DHL Express] Notice on Import Tax Payment Deadline – (INV and AWB) ✈ ParcelDocumentDHL.htm
Estimate (Order) 24_153_IBXX 2307_54210_project order.htm
[FedEx] Guide on Import License. AWB#.SHTML
FedEx Request for activating customer number AWB#989345874598.html
[** Industry] Request for estimate ***** Industrial new order 2023-03-24.html
DHL AWB shipping notice #0861542 Original Shipping Doc#GM53726192.pdf.htm
RE: Re: New order price (catalog edited) 2023LEDprice.html
Account Suspension (last warning) Update Account.html
All received emails have been deferred. ********.com.html
You have received an essential encrypted company email message_790311_832743609.htm
FedEx Shipment Arrival Notification FedEx Shippingdocs.htm
Inquiry Inquiry.htm
Attention: Service Suspension (Action Required for ******.co.kr) Deposit_payment_confirmation.pdf
Shipment Booking Confirmation – BL Draft is Ready for Review… Doc_20230327-3938.pdf.html
Your parcel has arrived urgent pick up needed today. AWB #8347630147.html
[SEC=OFFICIAL:Sensitive, ACCESS=Personal Data-Privacy] Personal Data-Privacy-SecureMessageAtt.html
There is an important encrypted corporate email you need to read message_982155_128090224.htm
Doc signed : Quote Agreement 16 Mar 2023 Quotation-No#0381.shtml
Re: Re: [subject line information removed] W-9 Dt 03.22.2023.one
New DHL Shipment Document Arrival Notice / Shipping Documents / Original BL, Invoice & Packing List (DHL) Original BL, PL, CI Copies.htm
Payment Copy Payment Copy.gz
FW:Re:Re: Payment Advice. Proforma Invoice.html
RE: Re: [subject line information removed] form 03.22.2023 Gmail.one
You have received an essential encrypted company email message_033902_557044732.htm
MAERSK LINE SHIPPING DOC SOUNDWORLD ENTERPRISE CO.,LTD Shipping_Doc.html
An important encrypted corporate email has been sent to you SecureMessage.zip
Pending invoice 10026870-1 scan_10026870-1.htm
Original invoice customs clearance notification. Original-invoice & PList_admins.htm
EFT Payment-Invoice 0000315: Completed_ Please Review and Sign Settlement-Payment-On-Hold.pdf
Your parcel has arrived urgent pick up needed today Shipping_Doc.htm
[DHL] Arrival Notice – Original Shipping Document – 2327821366 scan_document.html
FW: RE: WIRE INSTRUCTION Scan_Wire Instruction.PDF.shtml
Pickup Confirmation Wednesday, March 15, 2023 8:6 a.m.. Swift_confirmation_copy.PDF.shtml
RFQ- 1309445 QUOTATION.pdf
Attached is the remittance advice payment 02112022093630.pdf.html
new order(#0034) request Invoice.html
DHL Parcel Delivery Notification Details.shtml
Express Package Delivery Notification AWB#details.html
There is an important encrypted corporate email you need to read – message_567890_498055656.htm
Purchase Order PB2ED146HB2M-047 Purchase Order PB2ED146HB2M-047.html
op****@*********.co.kr Signed Document e-Signed_Doc_____________op****@*********.co.kr.html
An important encrypted corporate email has been sent to you FAX_MAIL.zip
EFT Payment sent On: Wednesday, March 22, 2023 2:53 a.m. pjhh PaymentVocher.shtml
Due_lnvoice__countec.comFriday, March 24, 2023 Inv® #PT947234.htm
SF Express WaybillDoc_8945655902.html
Greeting!!! GAAS-RFQ#2022061602-KD-Ref.pdf
maito_op****@*********.co.kr Signed Document e-Signed_Doc_____________maito_op****@*********.co.kr.html
Statement of Account *****.com_SOA00424322332_xls.shtml
Fw: Re: [subject line info removed] Electronic form 03.22.2023.one
An important encrypted corporate email has been sent to you – message_381082_213244471.htm
You have received an essential encrypted company email message_924733_817031910.htm
Re: FW: [spoofed sender name] doc_0322.one
Payment invoice Bank Transfer Invoice#91273.pdf
Re: (Urgent Order) – PO# M01552 PO ella RFQ #M01552-PDF.shtml
Re: Fw:Inquiry for 2023 New Products Prices Old Prices.zip
RE: PO.14036987,14038068 shipping documents and payment via DHL (083AB单) payment_doc & shipment#7221HKT.htm
Approved_New_PO0014232023 ******.co.kr PO_00140323_Beals_Inc_******.co.kr.html
< Re: New voice message from WIRELESS CALLER 15633963052 > voicemail_03232023.htm.
RE: New Invoice Order Payment NewInvoiceOrderStatement.html
FW: Payment invoice sheet.html
Purchase Order (Sales Invoice) PurchaseOrderSheet.html
RE: AMENDED INVOICES Proforma Invoice.shtml
Quote us your best offer on the attach order (treat urgently) Purchase#order.html
NEW ORDER- OC#8081013559 PO#3495-1022 New order sign invoice for payment.htm
Approved_New_PO0014232023 ********.com PO_00140323_Beals_Inc_********.com.html
Re: Proforma invoice Swift Remittance.html
Approved_New_PO0014232023 *********.com PO_00140323_Beals_Inc_*********.com.html
You have received an essential encrypted company email – Remote ID Securedoc_06593415.html
You have received an essential encrypted company email – Remote ID Securedoc_39067527.html
Approved_New_PO0014232023 ***********.co.kr PO_00140323_Beals_Inc_**********.co.kr.html
There is an important encrypted corporate email you need to read Securedoc_93717448.html
You have received an essential encrypted company email Securedoc_23992084.html
An important encrypted corporate email has been sent to you – Securedoc_90978661.html
There is an important encrypted corporate email you need to read – Securedoc_67152574.html

Case: Malware (Infostealer, Downloader, etc.)

Email Subject Attachment
smart picture don’t show myplp.exe
sexy photos sexpctrs.pif
sexy pictures superplp.gif.scr
super nice images only for you super_pctrs.scr
super sexy photo only for you sex_act.scr
super sexy pics don’t show super_img.pif
super cool images imortant the_imgs.scr
super cool picture only for you private__plp.jpg.exe
very wonderful pictures my_plp.gif.scr
very cool pics cool-action.gif.exe
RE: RE: RE: RE: Захтев 04352562561652.zip
SOA FROM SHANGHAI LEAGUE/CITI LOGISTICS (USD 16) SOA #00776122.docx
Purchase order 480038_944.r00
Credit note for the month of March 2023- 11005605 SOA.MARCH.iso
Borch request# RES_AGB_eroFame_DE_2023 Project RES_AGB_eroFame_EN_2023.zip
Bussiness Inquiry Nutribrasalimentos.zip
Aw: PAYMENTS 30.03.2023_SWIFT MT 103_9078212345TRF.gz
Give your best price on the demands Products Needed__________________pif.arj
DAMAGE GOODS/SETTLEMENT Scan Pictures.img
DHL Express SHIPPING NOTIFICATION DHL Booking.zip
FW: QUOTE REQUEST FOR SI-22311 II DOC- SI/MUM/2022-30/00307 II New PO# 10344 // CNEE New PO# 10344_CNEE.docx
Fw: Payment Advice – Advice Ref:[A1Xbj7fJ0V7W] /credits / Customer Ref:[BATCHFEB280301] / Second Party Ref:[TRN270323015] Advice.jpg.7z
Fw: RE: RFQ – Gauges and accessories RFQ – Gauges and accessories.zip
Fw: RE: URGENT****Our inquiry 23/SPEC02781 SPEC02781.zip
Employment Status And Salary Advance.. Employment Status And Salary Advance…img
LEGAL ACTION / LONG OVERDUE INVOICE Details Aan Invoice 2.img
NUEVA ORDEN DE COMPRA PO-4101927653_APRIL 2023.gz
New Scanned document from Kciltd Office Printer Scan_Docs_004521.docx
MV INLACO ACCORD / ETA: 25TH FEB ++ AGENT NOMINATION DISCHG.IMG
Successflly Transferred settlement for outsending SOA swift.zip
PO NO 0023 PO NO 0023.zip
Po 106069 PO-1060688.z
Payment Advice 564302 Payment Advice 564302.docx
Permintaan Informasi Harga RFQ.LM-0107PDF.rar
Price Inquiry – 28510837398013 20230331-28510837398013.rar
Price Quotation for P/N: 61092-10 SKM7109Y510S.IMG
Price Quotation for P/N: ESP1092-10 ESP15903YI0.IMG
RE: A/R Down Payment Request 10285 Bank Slip 30% Advance Payment to enable production of the goods.zip
RE: FedEx Notification of Arrival – AWB# 102235516763 FedEx Express AWB#102235516763.rar
RE: PRO-FORMA INVOICE NO-1820Q/2023 PI-1820Q.xls
RE: Please Confirm Payment Payment Copy USD14,000.zip
RE: Request For Quote – Urgent ! MRSK0052447.IMG
RE: UPDATED SOA 4970528.xls
RE:FedEx Notification of Arrival – AWB# 102235516763 FedEx Receipt_1022355161763.rar
REVISED -Order 5879024-00/PO 4677/PO 4678 PO feb.docx
RFQ-WES/510/92/810 WES51092Y810.IMG
Re: Order-CHW/U2/SI/22-23/3534 Order-CHWU2SI22-233534.xls
Re: super smart pics greatpctrs.exe
Re:Request for Quotation UPDATED_LIST.7z
Retiro retiro-pdf.gz
Re[3]: wonderful images imortant great-photos.gif.pif
Re[3]: super nice images only for you wild__action.jpg.scr
Re[3]: very wonderful photos private wild-plp.jpg.exe
Re[2]: nice photos only for you priv__scene.jpg.scr
Re[2]: super smart pics just for you fuck__images.gif.exe
Re[2]: very nice picture great__img.jpg.scr
Re[2]: very nice picture imortant bestimgs.scr
Re[4]: very wonderful photos prv_action.exe
Re[5]: nice picture imortant priv__act.exe
Re[5]: super cool photo priv__action.scr
Re[5]: smart photo fuckimages.pif
Re[5]: very nice photos fuck__pctrs.jpg.scr
Rechnung, ausstehende Zahlung RH-0987654345678.Z
Reference Notice Reference Notice_pdf.rar
Request For Quotation QUOTATION.zip
Request For Quote #182044-13 PO.xls
Request for Quote RFQ.exe
World Surfaris Remittance Balance$1,234,000,45-pdf.gz
TOTSA – Request For Quotation RFQ005412.IMG
UPDATED SOA Overdue soa.zip
Urgent Order Product Lists2.PDF.img
cool pics privateaction.pif
beautiful photo myscene.jpg.pif
enquiry_2703_023 enquiry_2703_023.rar

The ASEC analysis team has selected keywords that users must look out for, based on the distribution cases above. If these keywords are included in the subject of the email, or if the same characteristics are found, users must exercise strict caution as they may be phishing emails from threat actors. 

Keywords to Beware of: ‘PDF Online’   

The keyword for this week is ‘PDF Online.’ A phishing website disguised as ‘PDF Online’ has been distributed recently. The fake webpage was mentioned in the ASEC Weekly Phishing Email Threat Trends uploaded in March 17th. The phishing email was impersonating a Korean company and was written in fluent Korean. As such, it is likely that the email was created with actual leaked content. Such phishing emails are attached with HTML script files. This is a fake page that prompts users to enter their IDs and passwords with the text ‘PDF Online.’ When the users input their account credentials, the information is leaked to the threat actor’s server; thus, the information should not be entered.

  • Phishing URL: https[:]//naturaverdebeauty[.]com/justld/next.php

FakePage C2 URL

When users enter their IDs and passwords on the login pages among the FakePages created by the threat actor, their information is sent to the attacker’s server. The list below shows the threat actor’s C2 addresses of fake login pages distributed during the week.

  • https[:]//formspree[.]io/f/myyazkbv
  • https[:]//neduet[.]hosting[.]acm[.]org/pdf[.]php
  • https[:]//submit-form[.]com/rS8vx7dD
  • https[:]//razarmanagement[.]com/192[.]185[.]224[.]69/,/ue/postdhll[.]php
  • http[:]//ns2[.]wrsc[.]org/sites/all/libraries/elfinder/files/index/kugo/FedExpress[.]php
  • https[:]//formspree[.]io/f/xgebzovk
  • http[:]//tzp[.]com[.]pk/wp-admin/fte[.]php
  • https[:]//archerhall[.]com/wp-admin/Exc/Excell[.]php
  • https[:]//www[.]calvellirappresentanze[.]com/wp-content/plugins/TOPXOH/index/index/1/add[.]php
  • https[:]//escolagirassol[.]com[.]br/dd/ddhl[.]php
  • https[:]//formspree[.]io/f/mdovedpp
  • https[:]//formspree[.]io/f/moqzlyod
  • https[:]//hobbyless-features[.]000webhostapp[.]com/pdf[.]php
  • https[:]//gooddreams[.]co[.]in:/smhh/webapp[.]php
  • https[:]//elhdlwfa2o4[.]sa[.]com/horn/log1234567[.]php
  • https[:]//undebauched-hyphens[.]000webhostapp[.]com/dhlc[.]php
  • https[:]//formspree[.]io/f/moqzllag
  • https[:]//alemadistones[.]com/secure/Citizen/Exo/css/FX/cloudlog[.]php
  • https[:]//submit-form[.]com/NhEAc2e9
  • https[:]//firp[.]governo[.]ao/plauge/vmxll[.]php
  • https[:]//formspree[.]io/f/mdovdokw
  • https[:]//cambiamarcia[.]net/wp-includes/pdf[.]php
  • https[:]//formspree[.]io/f/xnqyzrzj
  • https[:]//www[.]nrwolff[.]com[.]br/wp-admin/maint/bv/mxl[.]php
  • https[:]//qleapinnovations[.]com/peeking/peeking[.]php
  • https[:]//archerhall[.]com/wp-admin/php/pdf[.]php
  • https[:]//izmirlist[.]com//2Ae/jotform[.]php
  • https[:]//naturaverdebeauty[.]com/justld/next[.]php

Attacks using phishing emails are disguised with content that can easily deceive users, such as invoices and tax payments, to induce users to access fake login pages or execute malware. Fake login pages are evolving by the second to closely resemble the original pages. The attackers pack malware in compressed file formats to escape the attachment scans of users’ security products. Users must practice strict caution and refer to recent cases of distribution to avoid being exposed to infection by malicious phishing emails. The ASEC analysis team recommends users follow the email security guidelines below. 

  • Do not execute links and attachments in emails from unverified senders until they are proven to be credible.

 

  • Do not enter sensitive information such as login account credentials until the site is found to be reliable. 

 

  • Do not execute attachments with unfamiliar file extensions until they are found to be reliable.

 

  • Use security products such as antimalware software.

According to the MITRE ATT&CK framework, phishing email attacks correspond to the following techniques.

  • Phishing for Information (Reconnaissance, ID: T1598[1])

 

  • Phishing (Initial Access, ID: TI1566[2])

 

  • Internal Spearphishing (Lateral Movement, ID: T1534[3])

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post ASEC Weekly Phishing Email Threat Trends (March 26th, 2023 – April 1st, 2023) appeared first on ASEC BLOG.

Article Link: https://asec.ahnlab.com/en/51222/