Credential Phishing Pages Mimicking Legitimate Webmail Login Portals
Sept. 18, 2024, 9:01 a.m.
Tags
External References
Description
Since August 2024, an India-linked threat actor has been targeting entities in China and South Asia using credential phishing pages that mimic legitimate webmail login portals. The campaign primarily focuses on government and defense sectors. The phishing domains share common characteristics, including registration via 1api, use of Royalhost nameservers, and resolution to IP address 65.21.85[.]206. The actor employs domain naming conventions related to webmail login or file download themes, often combined with references to specific targeted entities. Some domains redirect to credential phishing pages hosted on Netlify. The tactics, techniques, and procedures are consistent with previously reported Indian targeted intrusion actors, such as Sidewinder and Patchwork.
Date
Published: Sept. 18, 2024, 8:39 a.m.
Created: Sept. 18, 2024, 8:39 a.m.
Modified: Sept. 18, 2024, 9:01 a.m.
Indicators
securitychallenge-cetci.mail-sessionexpired.com
proposal-pdf-login.mail-sessionexpired.com
preview-files-login.mail-sessionexpired.com
pla-navy-seecure-drive.mail-files-open-preview.com
never-giveup.mail-downloadfiles.com
netease-secure.mail-files-open-preview.com
navy.lk.mails-gov.com
mod.gov.cn.inviation.mail-files-open-preview.com
download-all.mail-files-open-preview.com
download-attachments.mail-files-open-preview.com
coremail-files-downloads.mail-files-open-preview.com
attachments-secure-check.mail-files-open-preview.com
coremail-downloads.mail-files-open-preview.com
app-all.mail-files-open-preview.com
all-files.mail-sessionexpired.com
alitcn.mail-files-open-preview.com
nepal-mofa.com
mailbox-owa-bd.com
mail-sessionexpired.com
mail-files-open-preview.com
Attack Patterns
India-nexus targeted intrusion actor
T1608.004
T1583.001
T1589
T1566.002
T1584
T1566
Additional Informations
Defense
Government
British Indian Ocean Territory
Sri Lanka
Nepal
Bangladesh
India
China