Threat Research

Phishing Script File Breaching User Information via Telegram Being Distributed – ASEC BLOG

Securonix

Phishing scripts masquerading as PDF viewers were spread via email attachments, prompting users to reveal email passwords through a deceptive login prompt. The attackers exfiltrate credentials and IP data through Telegram, using evolving UI tricks to evade detection. #Telegram #SpearphishingAttachment #Masquerading #CredentialFromWebForm

Keypoints

  • Phishing script files disguised as PDF document viewer screens were distributed as email attachments using PO/order/receipt-themed filenames.
  • Opening the attached HTML file shows a login prompt with text like “Log in with your email password to see the document.”
  • The login prompt behavior changes based on password attempts, including empty, incorrect, and multiple-entry sequences, with redirections to decoy sites after three attempts.
  • Redirection patterns include links to a normal public PDF site and decoy imagery to mask the phishing activity.
  • The threat actor uses Telegram to exfiltrate data via a function that sends email, password, and IP address to a Telegram chat, leveraging geoIPlookups for location data.
  • Detected indicators include a specific MD5 hash associated with the phishing artifact and several phishing/HTML detections in threat intel.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Phishing script files disguised as PDF document viewer screens distributed as email attachments. Quote: “phishing script files disguised as PDF document viewer screens being distributed as attachments to emails.”
  • [T1036] Masquerading – Futuristic file naming to appear legitimate (e.g., pdf.html) to masquerade as a PDF document. Quote: “identified file names… pdf.html”
  • [T1552.001] Credentials in Web Forms – Credential harvesting via a fake login form prompting users to enter their email and password. Quote: “Log in with your email password to see the document.”
  • [T1567.002] Exfiltration to Web Services – Exfiltrating collected data (email, password, IP) to a Telegram chat via Telegram API. Quote: “send the recipient’s email address, the password entered by the user, and the user IP address to a chat room created by the threat actor via Telegram API.”

Indicators of Compromise

  • [Hash] MD5 – 94ebd0b12c95f5072561676985b1dbe5 – Mentioned as an IOC in the article

Read more: https://asec.ahnlab.com/en/56812/