Threat Research

ASEC Weekly Phishing Email Threat Trends (December 25th, 2022 – December 31st, 2022) – ASEC BLOG

Securonix

This weekly ASEC report analyzes phishing email threats from December 25–31, 2022, focusing on attachments used to deliver malware. It highlights Infostealer, FakePage, and Worm Malware as top attachment-based threats, detailing file extensions, distribution scenarios, and related C2 infrastructure. #AgentTesla #FakePage

Keypoints

  • Infostealer was the top phishing-attachment threat (46%), with AgentTesla and FormBook capable of leaking credentials saved in browsers, emails, and FTP clients.
  • FakePage accounted for 29% and uses cloned login pages to capture credentials that are sent to the attacker’s C2.
  • Worm Malware represented 14% and can spread via multiple methods, including mass emailing with SMTP.
  • Downloader (6%), Exploit (3%), and Backdoor (3%) were also detected in attachment-based campaigns.
  • Phishing emails used a variety of attachments, with PDFs and HTML/HTM files common for FakePage and a high share (43%) of compressed files (RAR/ZIP/ACE, etc.).
  • Distribution cases included both English and Korean subject lines, indicating targeted language variants in some campaigns.
  • FakePage C2 infrastructure was identified, with specific domains and URLs listed as part of the week’s activity.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – Used phishing emails with attachments to deliver Infostealer and other malware. Quote: ‘During this week, the most prevalent threat type seen in phishing email attachments was Infostealer.’
  • [T1555.001] Credentials from Web Browsers – Infostealer leaks credentials saved in web browsers, emails, and FTP clients. Quote: ‘Infostealer includes malware such as AgentTesla and FormBook, and they leak user credentials saved in web browsers, emails, and FTP clients.’
  • [T1071.001] Web Protocols – C2 addresses of fake login pages distributed during the week. Quote: ‘The list below shows the threat actor’s C2 addresses of fake login pages distributed during the week.’

Indicators of Compromise

  • [Domain] Phishing/C2 domains – cortinasdivinas.com, gojobs.in (and 1 more); these domains were used for fake login pages and phishing infrastructure
  • [URL] C2/Fake login page URLs – hxxps://cortinasdivinas.com/wp-admin/NEW/anydomain.php, hxxps://gojobs.in/xzx/dhl.php
  • [File name] Attachment/file names – Document_19_dec_62095539.pdf, AWB-87466784.html (and 0 more files)

Read more: https://asec.ahnlab.com/en/45442/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint