Threat Research

ASEC Weekly Phishing Email Threat Trends (March 19th, 2023 – March 25th, 2023) – ASEC BLOG

Securonix

ASEC analyzed phishing threats for March 19–25, 2023, finding FakePage attachments as the dominant method, followed by Downloader payloads, Worms, Infostealers, Trojans, and Exploits distributed via email. The report also lists numerous FakePage C2 URLs, common attachment types, and Korean-targeted cases, plus user guidance to mitigate infection risk.
Read more: https://asec.ahnlab.com/en/50789/

Keypoints

  • FakePage attachments were by far the most prevalent phishing type this week (59%), designed to imitate real login pages to harvest credentials.
  • Downloader payloads (23%) included loaders such as SmokeLoader and GuLoader, followed by Worms (7%).
  • Other detected types included Infostealer (6%), Trojan (4%), and Exploit (2%).
  • Phishing email attachments used varied file formats: HTML/HTM/SHTML for FakePage and ZIP/RAR/IMG/PDF for other malware.
  • Some distribution cases targeted Korean users specifically, in addition to global cases.
  • FakePage C2 URLs were provided, illustrating where credential data could be sent after login form submission.

MITRE Techniques

  • [T1598] Phishing for Information – Brief description of how it was used. Quote relevant content using bracket (‘Phishing for Information (Reconnaissance, ID: T1598)’)
  • [T1566] Phishing – Initial Access – Brief description of how it was used. Quote relevant content using bracket (‘Phishing (Initial Access, ID: TI1566)’)
  • [T1534] Internal Spearphishing – Lateral Movement – Brief description of how it was used. Quote relevant content using bracket (‘Internal Spearphishing (Lateral Movement, ID:T1534)’)

Indicators of Compromise

  • [URL] C2 addresses used by FakePage login pages – https[:]//outmoded-leaks[.]000webhostapp[.]com/fte[.]php, https[:]//formspree[.]io/f/myyazkbv
  • [URL] Additional FakePage C2 example – https[:]//app[.]padhaaku[.]co[.]in/bda/aim/fte[.]php, https[:]//ns2[.]wrsc[.]org/sites/all/libraries/elfinder/files/index/kugo/FedExpress[.]php
  • [File Name] Attachments used in FakePage cases – Security Email.html, AWB#.HTML
  • [Email Subject] Sample phishing subjects observed – [**Bank Transaction Notice]_Outward Remittance-Domestic Funds Transfer Notice, FedEx Shipment Arrival Notice

Read more: https://asec.ahnlab.com/en/50789/