Why this matters

Phishing threats are becoming more advanced. Malicious actors are hiding their identity behind redacted whois information and leverage publicly available cloud platforms to create, prepare, weaponize then redirect ultra realistic and relevant campaigns, evading detection. Employees need to be conscious of the ‘the next threat’ to avoid falling prey to these attacks as they appear in their workflow.

The investigation

The persistence and sophistication of phishing attacks continue to pose significant challenges for organizations worldwide. A recent investigation conducted by the StrongestLayer Threat Intelligence team has shed light on the escalating complexity of these threats, highlighting the pressing need for end users to enhance their awareness and competence in recognizing and mitigating risks tailored to their specific business workflows.

The investigation began with the discovery of an advanced phishing attack masquerading as a DHL website, requesting credit card payment for a delivery fee, and convincingly emulating authentic DHL communications. The site’s persuasive visuals, language, and sense of urgency obscured its fraudulent nature, presenting a considerable challenge for unsuspecting users who rely on DHL’s services for critical business operations.

Further exploration revealed strategic tactics employed by the threat actor, including the use of dormant domains and rapid weaponization methods. The phishing site, registered under the URL exprxxxxx[.]delivery, lay inactive for an extended period before being weaponized. This covert approach allowed threat actors to evade detection by conventional security measures, thwarting organizations’ attempts to mount effective responses and build resilience at the human layer.

After a brief period, exprxxxxx[.]delivery redirected to the domain 3kou[.]co[.]jp. Its Whois information indicated registration in August 2023, conflicting with the company’s claim of operating since 2005. Additionally, the domain appeared to be an illegal replica of the legitimate sankou[.]co[.]jp, registered in 2009 and recently updated. This discovery suggested the threat actor’s use of source code from a Japanese small business to create a look-alike domain, facilitating evasion of detection. Notably, 3kou[.]co[.]jp is hosted on xserver[.]jp, a facility notorious for hosting malware sites.

Prompted by these advanced tactics, StrongestLayer Threat Intelligence conducted a reverse IP lookup, uncovering “sister domains” associated with the same IP address hosting exprxxxxx[.]delivery. All identified domains were found to be malicious and are listed in the IOC section below.

Subsequent investigation led to the identification of the registrant’s name from a domain hosted on this suspicious IP address. It was the only domain with expired privacy redaction, indicating a rare case of negligence by the threat actor. Further scrutiny revealed a pattern of habitual malicious behavior since at least January 2015, with continued creation of malicious domains up to the present date. However, the latest trend indicates that the said registrant now utilizes AWS EC2 instances in order to host their new malicious websites which gives them more control over the entire phishing infrastructure which is required for efficient detection evasion. We’ve listed the IOCs at the bottom of this document.

This investigation highlights the rapid evolution of phishing threats and the critical need for organizations to bolster end user resilience against the immediate but ever-changing threat. By prioritizing an organization wide, deep understanding and targeted awareness of ‘the next’ phishing threat and empowering users to recognize and respond to suspicious activity, organizations can enhance their human defenses and mitigate the risk of successful phishing attacks.

Core and Sample IOCs from Investigation

exprxxxxx[.]delivery
3kou[.]co[.]jp
0-3.us
0-x[.]com
00033pyabil[.]online
0004hd[.]com
000666tv[.]com
000ipl[.]com
000j000[.]link
000t20win[.]com
List of IOCs

Safwan Khan & Haris Kamal

StrongestLayer Threat Intelligence