Full Report
This report provides statistics, trends, and case details on the distribution volume and attachment threats of phishing emails collected and analyzed in May 2025. The following is a part of the statistics and cases included in the original report. 1) Phishing Email Threat Statistics In May 2025, the most prevalent type of threat among phishing […]
Analysis Summary
# Incident Report: May 2025 Phishing Campaign Analysis
## Executive Summary
Analysis of security threats in May 2025 revealed that phishing emails constituted the most prevalent threat vector (72% of attachments). Attackers primarily used HTML scripts and malicious documents to redirect users to credential harvesting pages or drop malware, specifically exploiting legacy vulnerabilities like CVE-2017-11882 to deploy Lokibot. The primary impact was potential credential theft and malware infection via document and archive attachments.
## Incident Details
- Discovery Date: Ongoing analysis throughout May 2025
- Incident Date: May 2025 (ongoing campaign activity)
- Affected Organization: Not disclosed (General trend analysis)
- Sector: All sectors targeted by email campaigns
- Geography: Indicators suggest a focus on Korean language/market targeting, but global relevance to email security.
## Timeline of Events
### Initial Access
- Date/Time: May 2025 (Ongoing)
- Vector: Phishing emails utilizing various attachment types (Script/HTML, Document, Compressed ZIP).
- Details: Attackers mimicked login/advertising pages using HTML scripts to capture credentials sent to their C2 server, or redirected users to fake websites.
### Lateral Movement
- Details: Not explicitly detailed for specific victim environments, but execution of embedded malware (Lokibot) suggests post-exploitation activities post-document execution.
### Data Exfiltration/Impact
- Impact: Credential theft via fake login pages and execution/installation of malware such as Lokibot following document exploitation.
### Detection & Response
- Detection: Analysis of collected phishing email samples and attachments by ASEC.
- Response Actions: Analysis and publication of findings in the May 2025 Trend Report to inform users and stakeholders.
## Attack Methodology
- Initial Access: Phishing emails (HTML scripts for credential harvesting; Malicious documents/archives).
- Persistence: Not explicitly detailed, but implied by the deployment of malware such as Lokibot.
- Privilege Escalation: Exploitation of the Equation Editor vulnerability (CVE-2017-11882) within document attachments.
- Defense Evasion: Use of compressed (ZIP) files to hide executable PE files (.exe).
- Credential Access: Directly capturing credentials entered on fake login pages (FakePage).
- Discovery: Email-borne reconnaissance via content and attachment inspection.
- Lateral Movement: Not explicitly detailed.
- Collection: Data collection via harvested credentials or malware deployment (Lokibot).
- Exfiltration: Credential exfiltration to attacker C2 server.
- Impact: Malware infection leading to potential data theft or system compromise.
## Impact Assessment
- Financial: Not quantified; potential costs associated with remediation and credential exposure.
- Data Breach: High risk of credential compromise; potential exposure of system data through Lokibot activity.
- Operational: Potential disruption from malware infection (Lokibot).
- Reputational: Risk of reputational damage associated with hosting phishing pages or being subject to malware attacks.
## Indicators of Compromise
- Network indicators: C2 addresses associated with credential harvesting (Specifics available in original ATIP report).
- File indicators: MD5 hashes provided: `0e54e6be35a6225946c972cbe74b27a8`, `119a118372a79cfd77a033c852bd3f90`, `1738d827615a61618e11e32f3c7e7727`, `2dab94f34371ebffedd6aa3eb3d4ecd7`, `2e303a4645788483adfb221f9c8d37d0`.
- Behavioral indicators: Execution resulting from Microsoft Office (Equation Editor) document files triggering remote code execution.
## Response Actions
- Containment: Identifying and blocking communication to known C2 servers related to credential harvesting or malware distribution.
- Eradication: Removal of Lokibot malware from potentially infected systems.
- Recovery: Resetting compromised credentials captured via phishing forms.
## Lessons Learned
- Phishing remains the dominant threat, indicating user training gaps persist, particularly concerning credential entry.
- Outdated software, even in low-level components like Microsoft Equation Editor, remains a critical entry point for sophisticated malware deployment (Lokibot).
- Attackers continue to leverage file obfuscation (ZIP archives) to bypass email gateway defenses.
## Recommendations
- Immediately patch all systems, prioritizing the remediation of vulnerabilities like CVE-2017-11882, even if they appear legacy.
- Implement aggressive email filtering rules targeting high-risk attachment types (e.g., scripts, embedded executables, or documents attempting to leverage known exploit vectors).
- Enhance user awareness training focused on identifying URL/domain discrepancies in links embedded in documents and emails, and strictly prohibiting credential input on non-verified third-party or external sites.