ASEC tracked phishing email threats for December 18–24, 2022, finding Infostealer attachments (AgentTesla, FormBook) as the top threat type, followed by FakePage and Worm Malware; attackers also used various file extensions and C2 payloads. The report highlights fake login pages, compressed attachments, and multiple distribution cases (including Korean-targeted emails) and offers practical prevention tips to reduce credential theft and malware infections. #AgentTesla #FormBook #FakePage #DHL #Halkbank #Formspree
Keypoints
- Infostealer attachments dominated phishing this week at 35%, leveraging AgentTesla and FormBook to steal credentials stored in web browsers, emails, and FTP clients.
- FakePage was the second-most-common threat at 34%, using imitation login pages to harvest user credentials and funnel victims to attacker C2s or other fake sites.
- Worm Malware accounted for 11%, with self-spreading capabilities including SMTP-based mass email distribution.
- Downloader (10%), Trojan (6%), and Dropper (4%) were also observed among attachment-based threats.
- Phishing attachments frequently used PDFs, HTML/HTM, and a high share of compressed formats (RAR, GZ, TAR, Z), with 29% of attachments being compressed files.
- Cases included numerous FakePage and Malware distributions, with some emails targeting Korean users and featuring unique subject/filename IDs.
MITRE Techniques
- [T1566] Phishing – FakePage cases imitate real login pages to trick users into entering credentials, which are sent to the attacker’s C2 server or used for subsequent pages. Quote: “…leading users to enter their account and password information. The input information is sent to the threat actor’s C2 server or used to induce users to access other fake websites.”
- [T1598] Phishing for Information – Phishing for Information (Reconnaissance) is cited as related to phishing email attacks. Quote: “Phishing for Information (Reconnaissance, ID: T1598[1])”
- [T1534] Internal Spearphishing – Internal Spearphishing (Lateral Movement) is cited as related to intra-network phishing paths. Quote: “Internal Spearphishing (Lateral Movement, ID: T1534[3])”
Indicators of Compromise
- [Domain] context – hxxps://gojobs.in/xzx/dhl.php, hxxps://formspree.io/f/mayzwypz, hxxps://formspree.io/f/xvonpqea
- [Attachment] context – SHIPPING_DOC_BLBNTHCM22120020_20221221_PDF.rar, dhl dd.rar, 6_Suspended_Messages-01.html
- [File Name] context – AWB-87466784.html, Ref# Voice 230 (455763).html, Invoice_F_2690_F548FD90-ECC4-41FA-8F60-8ECDB27DFA07.html
- [Email Subject] context – FW: RE: FW: FW: B/L Notice – SWA0259760, ASUNTO: Asesoramiento de Standard Chartered Bank
- [File Extension] context – .rar, .gz, .pif, .gif.exe, .HTML/.HTM, .IMG
Read more: https://asec.ahnlab.com/en/45237/