Sushi Served with Phish

Executive Summary

The Menlo Labs research team recently analyzed a malicious infrastructure carrying out phishing attacks against Japanese MICARD and American Express users. The threat actor behind this infrastructure is actively spinning up new domains and websites with the same attack Tactics, Techniques, and Procedures (TTPs). We assess with moderate confidence that the threat actor is of Chinese origin; additional details are found later in the article (Figure 6).

Infection Vector

Based on our research and OSINT (Open Source Intelligence) analysis, the initial vector of these attacks is an email with a link that directs the intended target to the phished page. We even came across an advisory and guidance from MICARD informing its users to be cautious of phishing emails impersonating their brand.

Phishing Pages and Targeted Brands

The brands that were targeted by the threat actor were MICARD and American Express. The MICARD phishing pages used the geofencing technique to allow only Japanese IPs to access the website. We detail the working of these phishing pages associated with the targeted brands below.

MICARD phishing page

The phishing URL targeting the MICARD page we analyzed was miicarrid[.]co[.]jp.sdsfsee[.]top. Upon visiting this website from a Japanese IP address, the user is presented with a login page requesting credentials (Figure 1).

Upon entering the credentials, the victim is redirected to another page hosted in the same domain: https://miicarrid[.]co[.[jp.sdsfsee[.]top/login.php. This page asks the user to enter their MICARD card number and account details (Figure 2).

Upon entering the credentials, the victim is redirected to the legitimate MICARD website, micard.co.jp, which again asks the victim to enter credentials for authentication.

All the credentials entered by the victim are recorded during the redirection by the URL path “api.php?p=1” of the same phished page (Figure 3).

American Express phishing page

The phishing URL we analyzed for American Express is www1[.]amerxcanexpress[.]tp.bhisjcn[.]jp. Upon visiting this website from a Japanese IP address, the user is presented with a login page requesting credentials. The next stage of this attack goes through the same mechanisms to post the credentials as were used for the MICARD phishing page (Figure 4).

While analyzing the code, we noticed that the page was trying to load a style page (laydate.css) from the path “/admin/im/css/modules/laydate/default/laydate.css?v=5.3.1”. While this file failed to load, we decided to see what might be in the “/admin” path (Figure 5).

We then loaded the path “/admin” and got a possible control panel! Unfortunately, we weren’t able to access it during the time of analysis (Figure 6). This is the attacker panel that we assess to be a Chinese actor. The threat actor would be able to log in and see the submitted credentials and possibly other information.

Attacker infrastructure and OSINT

During our analysis, we identified the several phishing domains of the targeted brands hosted on these four IP addresses:

• 209.141.51.134
• 209.141.44.114
• 45.81.5.197
• 45.86.70.157

It is likely that the same attacker is reusing the same attack TTPs to create the phishing pages, or is using a phishing kit for the targeted brands. Three TLDs — club, jp, and top — were used by the domains resolving to the IP address from June 2022. The most exclusively used TLD in the attacker infrastructure was “top” (Figure 7).

Some of the interesting findings, commonalities, and observations in our research are:

• The attacker infrastructure was hosted on four IP addresses.
• Almost all the domains used for the phishing brands were assigned to the registrar Namesilo LLC.
• Almost all the domains were powered with an SSL server certificate by LetsEncrypt, which provides free, automated, and open certificate authority by the nonprofit Internet Security Research Group (ISRG).
• Though the domain names were different, the URL path names were the same.

Another curious item we noticed is that one of the domains, www2[.]shinseiclub[.]com.famerucarf1[.]jp, changed a couple of times over the course of analysis (Figure 8).

It started as an online service login page for a credit card issued by APLUS, a company of Shinsei Bank, but it ended up as an American Express site (Figure 9).

Conclusion

Based on the intelligence and the TTPs gathered, we assess with moderate confidence that the threat actor is of Chinese origin. The threat actor is likely to add more targeted brands alongside MICARD and American Express.

Menlo Labs assesses that this threat actor will most likely keep creating new infrastructure and impersonating other brands as more phishing sites are identified and blocked. Menlo Labs recommends that users remain cautious when entering credentials on websites that arrive via email links or attachments. As a preventive measure, using two-factor or multi-factor authentication can provide an extra layer of security if the credentials are compromised.

IOCS

IPs:

209.141.51.134
209.141.44.114
45.81.5.197
45.86.70.157

Domains:

miicarrid[.]co[.]jp[.]sdsfsee[.]top
miicarrid[.]co[.]jp[.]frruuy[.]top
mhuirrid[.]co[.]jp[.]tuuiyy[.]top
mdinsd[.]co[.]jp[.]gnjkg[.]top
mhuirrid[.]co[.]jp[.]ghbdc[.]top
miicarrid[.]co[.]jp[.]dhssu[.]top
miicarrid[.]co[.]jp[.]dfgtto[.]top
sanyuicare[.]co[.]jp[.]dozerov[.]top
mmiicard[.]co[.]jp[.]drampor[.]top
miicard22[.]co[.]jp[.]docmer[.]club
miioard[.]co[.]jp[.]dakejer[.]club
www2[.]miicard[.]co[.]jp[.]boweron[.]club
www2[.]miicard[.]co[.]jp[.]bredkmk[.]club
www2[.]americanexpres[.]com[.]cenmksl[.]club
www[.]ameriicanexprress[.]com[.]acemoer[.]club
www[.]micard[.]co[.]jp[.]cmerove[.]club
www[.]xgyufanexpres[.]tp[.]hjbwwj[.]jp
www[.]asetrxcanezxres[.]tp[.]cfdymtj[.]jp
www[.]xcerxcanexpres[.]tp[.]ncjsnf[.]jp
www[.]amerxcanezxres[.]tp[.]txjjzyzq[.]jp
www1[.]aenjrcanexpres[.]tp[.]bhuidanj[.]jp
www[.]amejrcanexpres[.]tp[.]emexecag[.]jp
www2[.]amerxcanexpres[.]tp[.]buycjso[.]jp
www[.]amerxcanexpres[.]tp[.]amesecad[.]jp
www1[.]amerxcanexpress[.]tp[.]bhisjcn[.]jp
www2[.]sinsebonk[.]com[.]bdsag[.]jp
www[.]sinsebonk[.]com[.]amercanmisecad[.]jp
yzkjc[.]co[.]jp[.]cfdymtj[.]top
eeqxcgh[.]co[.]jp[.]rdstna[.]top
yzkjc[.]co[.]jp[.]mthzsqk[.]top
ysrybx[.]co[.]jp[.]kjglhys[.]top
njswa[.]co[.]jp[.]sjdyr[.]top
kfqs[.]co[.]jp[.]bszya[.]top
xflsbw[.]co[.]jp[.]gedaz[.]top
tjjdry[.]co[.]jp[.]gdzsd[.]top
kfqs[.]co[.]jp[.]lqjgeqt[.]top
bxkqxz[.]co[.]jp[.]ghfgb[.]top
www2[.]americanexpress[.]jp[.]bdsjka[.]jp
www2[.]shinseiclub[.]com[.]famerucarf1[.]jp
www1[.]amaricanexpes[.]jp[.]fmicard88[.]top
www5[.]wibmiicard[.]co[.]jp[.]fmicard12[.]top
www[.]supper[.]ameriicanexpres[.]top