Threat Research

ASEC Weekly Phishing Email Threat Trends (January 8th, 2023 – January 14th, 2023) – ASEC BLOG

Securonix

ASEC’s weekly briefing analyzes phishing email threats from January 8–14, 2023, highlighting attachments as the main delivery method for Infostealer, FakePage, and other malware families, including OneNote (.ONE) extensions. It also outlines case distributions, notable file types, and a list of FakePage C2 URLs that steal credentials when users enter them on spoofed login pages. #Infostealer #AgentTesla #FormBook #FakePage #ONEExtension #EQNEDT32 #ASEC #RAPIT

Keypoints

  • The week’s phishing attachments were dominated by Infostealer threats (38%), notably AgentTesla and FormBook.
  • FakePage attacks, imitating real login pages, accounted for 34% of cases and funnel credentials to attackers or fake sites.
  • Exploit-type phishing (12%) mainly leveraged the EQNEDT32.EXE formula editor vulnerability in documents.
  • Other malware types observed include Downloader (8%), Worm (7%), and Trojan (1%).
  • Phishing cases align with weekly ASEC malware distribution trends and include Korean-targeted subject lines.
  • The campaign prominently used OneNote (.ONE) attachments and various document/file formats to evade scans.

MITRE Techniques

  • [T1598] Phishing for Information – “phishing emails mainly occur through emails.”
  • [T1566] Phishing – Initial Access – “phishing emails attachments” are used to deliver malware and steal data.
  • [T1534] Internal Spearphishing – Lateral Movement – “Internal Spearphishing (Lateral Movement, ID: T1534)”
  • [T1203] Exploitation for Client Execution – “document files with the formula editor (EQNEDT32.EXE) vulnerability.”
  • [T1555] Credential Access – “Infostealer includes malware such as AgentTesla and FormBook, and they leak user credentials saved in web browsers, emails, and FTP clients.”
  • [T1071] Web Protocols – “When users enter their IDs and passwords on the login pages among the FakePages created by the threat actor, their information is sent to the attacker’s server.”

Indicators of Compromise

  • [Domain] – FakePage C2 domains associated with attacks – erfgvcv.ga, earthsaviours.net, vladiolitrade.ru
  • [URL] – FakePage C2 addresses – hxxps://erfgvcv.ga/abig/pdfnglw.php, hxxps://formspree.io/f/xbjejppb
  • [Attachment name] – Email attachments used in campaigns – Invoice IQ0075440.one, January-Payment.rar, and 2 more attachments
  • [File extension] – Phishing attachment extensions – .one, .html
  • [Email Subject] – Sample subjects from campaigns – Unpaid Invoice IQ0075440, Re: 2023 JAN ORDER BTB LC SCAN DOCUMENT COPY OF SANS TEST PACKGING [IMPORTANT]

Read more: https://asec.ahnlab.com/en/46276/