Threat Research

CoGUI Phish Kit Targets Japan with Millions of Messages

Proofpoint
CoGUI Phish Kit Targets Japan with Millions of Messages
EXTRACT IOC
The ongoing Proofpoint campaigns reveal a surge in phishing attacks utilizing the CoGUI kit, mainly targeting Japanese organizations by impersonating popular brands to steal sensitive user data. Advanced evasion techniques make it a significant threat. (Affected: Japanese organizations, payment sector, consumer brands)

Keypoints :

  • CoGUI phishing kit primarily targets Japanese organizations, especially in the finance and consumer sectors.
  • Impersonates well-known brands like Amazon, Rakuten, and PayPay.
  • The kit employs advanced evasion techniques including geofencing and fingerprinting.
  • Average of 50 CoGUI campaigns observed per month, peaking at 172 million messages in January 2025.
  • CoGUI campaigns often have a focus on financial gain, sometimes linked to illicit activities.
  • While primarily targeting Japan, some campaigns have also been observed in Australia, New Zealand, Canada, and the U.S.
  • Campaign details show high volatility in brand impersonation strategies to enhance credibility.

MITRE Techniques :

  • T1583.006 – Obtain Capabilities: CoGUI utilizes phishing lures to impersonate brands, thereby leveraging established trust to gather credentials.
  • T1071.001 – Application Layer Protocol: The phishing kit employs URLs leading to credential stealing pages, using common protocols.
  • T1071.001 – Standard Application Layer Protocol for Various SSL/TLS Applications: The phishing pages utilize HTTPS to appear legitimate and avoid detection.

Indicator of Compromise :

  • The article mentions specific URLs leading to CoGUI phishing landing pages branded as Amazon, Rakuten, and PayPay.
  • These URLs are structured to bypass detection and lead to credential harvesting sites.
  • Examples of URLs include hxxps://zjkso[.]cn/QJSmxXOQ/ and hxxps://uhlkg[.]cn/HJmOkggh for SBI and Rakuten-branded phishing.
  • There are indications of geographic profiling used for targeting via GeoIP and browser data collection.

Full Story: https://www.proofpoint.com/us/blog/threat-insight/cogui-phish-kit-targets-japan-millions-messages

Views: 38

Tags: APPLE, FINANCIAL, DEFENSE EVASION, MOBILE, PASSWORD, SPOOFING, WINDOWS, MONITOR