Summary: On Oct 23, the odix team detected a file-based phishing malware in an email attachment that was blocked by FileWall system.  To avoid detection the blocked attachment redirected the user to a website requiring the user to pass a CAPTCHA test before redirecting them to the actual phishing page.

Analysis:

Step 1: An email was sent from info@ukou[.]co[.]jp. The subject of the email only contained the timestamp: “October 23, 2020, 3:03:24 AM”. A dynamic component in the HTML file has been modified per target to ensure that the various malicious files generated will have distinct hashes to avoid detection by signature-based security mechanisms.

Step 2:After opening the attachment, the user is immediately redirected to the CAPTCHA test:

CAPTCHA is used to distinguish between humans and computers. Adding the CAPTCHA test as part of the process allowed the attackers to prevent being detected by automatic security solutions which were not able to reach the phishing page.

Step 3: After the user successfully passes the CAPTCHA test, they are redirected to the Microsoft phishing page

Step 4: After entering their credentials, the users are forwarded to office.com. This helps to conceal the credentials theft that just happened.

As of the writing of these rows (October 27), the URLs used in this attack have zero detections in Virus Total.

IOC

https://yyy[.] tracklnenfnbd[.]xyz/main

https://yyy[.] tracklnenfnbd[.]xyz/main/main.php

https://yyy[.] tracklnenfnbd[.]xyz/main/action