Threat Research

ASEC Weekly Phishing Email Threat Trends (June 11th, 2023 – June 17th, 2023) – ASEC BLOG

Securonix

Two sentences summarizing the content. ASEC tracks phishing email threats for the week of June 11–17, 2023, focusing on attachments and the distribution methods used by attackers. The report categorizes cases into FakePage and Malware (Infostealer, Downloader, Trojan, Exploit, Backdoor), lists notable IOCs, and offers user guidance to reduce impact. #FedEx #Infostealer #AgentTesla #FormBook #AveMaria #FakePage

Keypoints

  • The analysis covers phishing emails with attachments from June 11–17, 2023, excluding emails that only contained malicious links.
  • Infostealer is the most prevalent type (51%), with examples like AgentTesla, FormBook, and AveMaria that leak credentials stored in browsers, emails, and FTP clients.
  • FakePage is the second-most prevalent type (18%), involving fake login pages designed to steal credentials that are sent to attacker C2 servers.
  • Downloader accounts for 7% of cases, often distributing additional malware such as Infostealers and backdoors; Trojan (7%) and Exploit (3%) are also observed.
  • File extensions used in attachments include HTM/HTML/SHTML for FakePage pages and compressed formats (RAR, 7Z, etc.) for Infostealer/Downloader payloads.
  • Cases include Korean-targeted emails and numerous subject/attachment pairs; FedEx and DHL-themed lures are common in FakePage campaigns.
  • MITRE ATT&CK mappings are discussed, linking phishing to information gathering, initial access, and internal spearphishing for lateral movement.

MITRE Techniques

  • [T1598] Phishing for Information – Used as reconnaissance via phishing emails to obtain credentials. Quote: [‘Phishing for Information (Reconnaissance, ID: T1598)’]
  • [T1566] Phishing – Used to gain initial access by distributing phishing emails with attachments. Quote: [‘Phishing (Initial Access, ID: TI1566)’]
  • [T1534] Internal Spearphishing – Used for lateral movement through targeted email campaigns. Quote: [‘Internal Spearphishing (Lateral Movement, ID:T1534)’]

Indicators of Compromise

  • [URL] Phishing login pages and C2 URLs – https://sattaonmobile.com/new/1drv.php, https://hanbayinc.com/xs/omi/send.php, and 12 more
  • [URL] Phishing URL – https://formspree.io/f/myyazkbv
  • [File] Attachments used in FakePage – FedEx SCANNED ORIGINAL DOC.html, DHL AWB SHIPMENT#Jhpark00906142023 .docx.shtml
  • [File] Archives used in Malware distributions – Invoice.zip, Booking_3461005pdf.7z
  • [Domain] FakePage/C2 domains – goodwallcovering.com/exee.php, tsushi-log.main.jp/cgi/mt/lib/MT/Template/tsushi/adobe/hins.php

Read more: https://asec.ahnlab.com/en/54861/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint