Full Report
This report provides statistics, trends, and case details on the distribution volume and attachment threats of phishing emails collected and analyzed in March 2025. The following is a part of the statistics and cases included in the original report. 1. Phishing Email Threat Statistics In March 2025, the most common type of threat among phishing […]
Analysis Summary
This report summarizes trends and specific case studies related to phishing email threats analyzed in March 2025.
# Incident Report: March 2025 Phishing Email Threat Analysis
## Executive Summary
In March 2025, phishing emails constituted the primary email-borne threat, focusing heavily on credential harvesting through fake login pages and the exploitation of document vulnerabilities to deliver malware. Attackers utilized scripts (HTML) and document attachments (RTF containing hidden executables) to compromise users, leading to the potential deployment of Downloaders and Infostealers. The response primarily involved identifying malicious attachments and C2 communication patterns described in the full analytical report.
## Incident Details
- Discovery Date: Throughout March 2025 (Continuous analysis)
- Incident Date: March 2025
- Affected Organization: Multiple entities targeted globally (implied by analysis scope)
- Sector: Not explicitly stated, but likely broad due to phishing prevalence (General Internet Users/Organizations)
- Geography: Global scope analyzed, with specific mention of Korean language phishing emails.
## Timeline of Events
### Initial Access
- Date/Time: March 2025
- Vector: Phishing Emails (HTML scripts, Malicious Attachments: Documents, Compressed files)
- Details: Attackers used HTML scripts mimicking legitimate login/promotional pages to steal credentials directly. They also delivered malware via attachments like `\word\Japan.rtf`.
### Lateral Movement
- Details: Not explicitly detailed for specific incidents, but the delivery of Downloaders and Infostealers suggests subsequent execution and network navigation capability.
### Data Exfiltration/Impact
- Data Targeted: User credentials (captured via fake login pages) and system information/data (via Infostealers).
- Impact Method: Execution of malicious functions upon document opening.
### Detection & Response
- Detection: Analysis of collected phishing email samples, attachments, and observed C2 traffic by ASEC.
- Response Actions: Documentation and distribution of IOCs and analysis findings via the full ATIP report.
## Attack Methodology
- Initial Access: Phishing via HTML scripts (FakePage generation), Malicious Documents (RTF files containing hidden EXE/DLL), and VBScript files compressed in 7z archives.
- Persistence: Implied through the deployment of Downloaders/Infostealers.
- Privilege Escalation: Exploitation of a vulnerability in `EQNEDT32.exe` upon document opening.
- Defense Evasion: Use of compressed files (.7z) to hide malicious scripts (.vbs) and embedding malicious DLLs within seemingly legitimate document structures.
- Credential Access: Direct credential harvesting via imitation login pages (FakePage).
- Discovery: (Not explicitly detailed)
- Lateral Movement: (Implied by malware deployment)
- Collection: Data collection via deployed Infostealers.
- Exfiltration: C2 communication channel used to send harvested credentials or collected data off-network.
- Impact: Malware execution (Downloaders/Infostealers), credential compromise.
## Impact Assessment
- Financial: Not quantified.
- Data Breach: User credentials, potential system data if Infostealers were effective.
- Operational: Potential for system compromise and further malware propagation due to successful malware execution.
- Reputational: Risk associated with falling for phishing scams.
## Indicators of Compromise
- Network indicators: C2 addresses (contained in the full report).
- File indicators: MD5 hashes provided:
- `030f54e96db8a7eb0601976cc7997748`
- `0b04a2d692e0679243660865879628b2`
- `0bc86eb111a2727d9b0c07532cf41787`
- `1726d38fc2b0bf3ed30b676957cf4d8c`
- `194f53f3fac0367abe890df8013e6e58`
- Behavioral indicators: Execution of malicious functions upon opening specific document types (e.g., RTF exploiting EQNEDT32.exe).
## Response Actions
- Containment: (Implied) Disabling access to identified C2 infrastructure and isolating compromised endpoints.
- Eradication: Removal of deployed malware (Downloaders/Infostealers) and remediation of vulnerabilities exploited.
- Recovery: Resetting compromised user credentials.
## Lessons Learned
- Key takeaway: Credential harvesting via convincing FakePages remains the most prevalent phishing attack method (59% of analyzed threats).
- What could have been done better: Enhanced user training specific to identifying HTML-based credential harvesting pages and rapid patching/mitigation for vulnerabilities like those exploited in EQNEDT32.exe.
## Recommendations
- Implement email filtering rules to block suspicious file extensions commonly used in phishing (e.g., VBS, potentially embedded files).
- Immediately patch software known to be exploited via document handlers (e.g., Microsoft Office components related to RTF processing).
- Deploy advanced endpoint detection and response (EDR) capable of detecting in-memory execution resulting from Office macro/vulnerability exploitation.