Phishing Scam Trend: Fake Project Proposal Emails
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Threat actors are distributing phishing emails disguised as urgent project proposals to deliver malware. The attack uses a compressed archive containing JavaScript malware, which then launches obfuscated PowerShell commands to deploy SnakeKeylogger. This infostealer gathers browser data, system details, and keystrokes, then exfiltrates the stolen information through SMTP or Telegram.
Investigation
AhnLab Security Intelligence Center (ASEC) analyzed the phishing campaign and found that JavaScript and PowerShell were used during the initial infection stages. The investigation confirmed that the JavaScript file passes encrypted SnakeKeylogger data as an argument to PowerShell, which decrypts and runs the payload directly in memory to avoid disk-based detection.
Mitigation
Users should verify sender domains carefully and remain cautious with unsolicited attachments or suspicious links. Organizations should deploy email filtering to block risky file types such as .js, .vbs, and .exe. Monitoring for unusual PowerShell execution and unauthorized SMTP or Telegram traffic can also help reduce the impact of compromise.
Response
If this activity is detected, isolate the affected host from the network immediately to prevent further data exfiltration. Conduct memory forensics to identify the injected SnakeKeylogger payload and review email logs to determine whether other recipients were targeted by the same phishing campaign. Credentials for any accounts accessed from the compromised machine should also be reset.
Attack Flow
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary aims to deploy a SnakeKeylogger-style payload. To evade simple file-based detection, the attacker uses a JavaScript-based delivery mechanism that spawns a PowerShell process. This process receives an encoded payload designed to decrypt its core logic in memory. The script uses
Invoke-Expressionto run the decoded command and calls a specific.decryptdata()method to handle the encrypted payload, simulating the exact behavior described in the detection rule’s signature. -
Regression Test Script:
# Simulation of SnakeKeylogger PowerShell behavior # This script is designed to trigger the detection rule via Event ID 4104. $payload = "REPLACE_WITH_ENCODED_DATA" # Simulated payload $decryptionMethod = ".decryptdata(" # The following block contains the exact strings the rule is looking for $maliciousScript = @" function Base64Decode(`$data) { return [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(`$data)) } function Invoke-Malware { param(`$input) `$decrypted = `$input.$decryptionMethod('some_key') Invoke-Expression `$decrypted } Invoke-Malware -input `$payload "@ # Execute the script block to ensure it appears in 4104 logs powershell.exe -Command $maliciousScript -
Cleanup Commands:
# No files were created on disk by the simulation script. # If any temporary files were used, they should be deleted here. Write-Host "Simulation cleanup complete. No persistence established."