ChinaCredentialsPhishingSouth Asia

Credential Phishing Pages Mimicking Legitimate Webmail Login Portals

Since 1 August 2024, a likely India-nexus targeted intrusion actor has targeted entities in China and South Asia using credential phishing pages mimicking legitimate webmail login portals. Domain naming conventions as well as observed phishing pages reveal likely targeting of entities in the government and defense sectors. Observed tactics, techniques, and procedures and target scope are consistent with public reporting on Indian targeted intrusion actors.  

Details

Identified domains share the following similarities:

  • Registration via 1api registrar service
  • Use of Royalhost nameservers
  • Resolving to the IP address 65.21.85[.]206
  • Domain naming convention using webmail login or file download themes often combined with references to specific, likely targeted entities

The 65.21.85[.]206 IP address is a shared host resolving numerous domains likely unrelated to the India-nexus targeted intrusion activity. However, historical data from this host indicates the India-nexus actor has used 65.21.85[.]206 since at least April 2024 to host phishing domains.  

Figure 1. Example Credential Phishing Page from nepal-mofa[.]com

Analysis of this activity also shows one of the actor-registered domains (never-giveup.mail-downloadfiles[.]com) redirecting to a credential phishing page hosted on the cloud service Netlify (large-files-d0wnl0ad-session-expired.netlify[.]app). These domains are likely being used to target Chinese entities.

Figure 2. Chinese-language Credential Phishing Page Hosted on Netlify

IOCs

South AsiaChina

navy.lk.mails-gov[.]com
(Sri Lanka)

mailbox-owa-bd[.]com
(Bangladesh)

nepal-mofa[.]com
(Nepal)
mod.gov.cn.inviation.mail-files-open-preview[.]com
never-giveup.mail-downloadfiles[.]com
all-files.mail-sessionexpired[.]com
mail-sessionexpired[.]com
preview-files-login.mail-sessionexpired[.]com
proposal-pdf-login.mail-sessionexpired[.]com
securitychallenge-cetci.mail-sessionexpired[.]com
alitcn.mail-files-open-preview[.]com
app-all.mail-files-open-preview[.]com
attachments-secure-check.mail-files-open-preview[.]com
coremail-downloads.mail-files-open-preview[.]com
coremail-files-downloads.mail-files-open-preview[.]com
download-all.mail-files-open-preview[.]com
download-attachments.mail-files-open-preview[.]com
mail-files-open-preview[.]com
netease-secure.mail-files-open-preview[.]com
pla-navy-seecure-drive.mail-files-open-preview[.]com

Conclusion

This activity is consistent with targeted intrusion activity identified in previous public reporting. Naming conventions are generally consistent with activity from the group known as Sidewinder with domains spoofing webmail login portals and the targeting of entities in China and South Asia. The India-nexus targeted intrusion group known as Patchwork also historically exhibited a similar target scope.