Threat Research

Phishing Web Server Identified Through an Impostor National Tax Service Email – ASEC BLOG

Securonix

ASEC researchers uncovered a phishing campaign impersonating the National Tax Service, urging recipients to extend their password duration with an on-message about password expiry. The campaign uses a fake login site to harvest credentials, IPs, and personal data, exfiltrating them to the attacker via Telegram. Hashtags: #NationalTaxService #AhnLab #Darkx #Mainnet

Keypoints

  • The phishing email impersonates the National Tax Service and emphasizes urgent password expiry, pushing recipients to extend their password duration before the account is locked.
  • A phishing site mirrors a bank’s login page to harvest credentials, with links leading users to a page that leaks login information to the threat actor.
  • Collected data includes user credentials, IP addresses, and personal details (including SSN-like identifiers) stored on the attacker’s server and transmitted to Telegram.
  • A bank-impersonation web server hosts multiple phishing pages and supporting scripts, suggesting the actor targets multiple organizations with similar setups.
  • Key data flows show credentials collected on login pages stored in text files (e.g., login.txt) and forwarded to the attacker via Telegram, illustrating data exfiltration over a C2 channel.
  • Users are advised to verify email authenticity and the linked page domains to mitigate banking/phishing attempts that seek highly sensitive information.

MITRE Techniques

  • [T1566.001] Spearphishing Link – The attacker distributed a phishing email impersonating the National Tax Service with a link urging recipients to extend their password duration before the account is locked. ‘The phishing email impersonating the National Tax Service … urging recipients to extend their password duration before the account is locked.’
  • [T1036] Masquerading – The login page was so similar to the actual bank’s web page that ordinary users could not notice the difference upon landing on the fake page. ‘the login page was so similar to the actual bank’s web page that ordinary users could not notice the difference upon landing on the fake page.’
  • [T1056.003] Web Forms – When users enter credentials on the login page, the input information is transmitted to darkx/mainnet.php and saved to a txt file before being sent to Telegram. ‘When the user enters their account credentials on the login page, the input information is transmitted to darkx/mainnet.php… and saves it as a txt file before sending the same information over Telegram.’
  • [T1041] Exfiltration Over C2 Channel – The attacker collects data and forwards it via Telegram, indicating data exfiltration through a C2-like channel. ‘the same information over Telegram.’

Indicators of Compromise

  • [Domain] – cloudflare-ipfs[.]com, jy****ud[.]com
  • [URL] – hxxps://cloudflare-ipfs[.]com/ipfs/QmRgn9xHYkCoGyj39wQBwfYo7MZ2dtJEh1h9RQ5hcyBqGa?filename=logsinfo.html#[User Email Address], hxxps://jy****ud[.]com/service2/online/dollar/sure/logs/gen.php
  • [File Name] – login.txt, account_verify.txt, credit_Verify.txt, logsinfo.html

Read more: https://asec.ahnlab.com/en/45669/