Recruiters Beware! Hackers Deliver Malware Posing Job Applicant

Recruiters Beware! Hackers Deliver Malware Posing Job Applicant

Last Updated: December 14, 2023By

Recruiters Beware! Hackers Deliver Malware Posing as Job Applicant

Threat actors have been targeting recruiters disguised as job applicants to deliver their malware. Though this method is not unique, the technique and attack vectors have been noted to have changed from their previous methods.

TA4557 is a highly skilled, financially motivated threat actor who primarily uses sophisticated social engineering to lure victims. This threat actor has been known to be attributed to the FIN6 cybercrime group. Additionally, TA4557 has conducted a similar campaign in 2022 to lure job applicants.

Malware Targeting Recruiters

As a part of the initial access vector, threat actors send job applications with malicious URLs or attachments, which are delivered to recruiters via the job portals. Another method was sending an email directly to the recruiters, posing as a job applicant.

Threat actor posing as job applicant
Threat actor posing as job applicant (Source: Proofpoint)

When the victims visit the domain or URL specified by the threat actor, a filtering check is performed to determine whether or not to allow the visitor to be redirected to the download page containing the ZIP archive file.

In both of the methods, the threat actor lures the victims to the malicious website to download the archive file containing an LNK shortcut file. This file, when executed, performs a Living-off-the-Land type of attack for downloading additional payloads on the victim systems.

More_Eggs Backdoor

The LNK uses the ie4uinit.exe file and ie4uinit.inf file to download and execute a malicious DLL in the %APPDATA%\Microsoft folder. As part of executing the DLL payload, the script uses Windows Management Instrumentation (WMI) and ActiveX Object Run method.

Once this is done, the DLL retrieves the RC4 key for decrypting the More_Eggs backdoor that will be downloaded in the next command. Once the More_Eggs backdoor is downloaded and executed, the threat actor can access the victim’s systems.

Furthermore, a complete report about this attack vector and technique has been published, which provides detailed information about the threat actor, their attack method, email analysis, and other information.

Indicators of Compromise

Indicator   Description 
wlynch\.com  Domain 
9d9b38dffe43b038ce41f0c48def56e92dba3a693e3b572dbd13d5fbc9abc1e4  SHA256 
6ea619f5c33c6852d6ed11c52b52589b16ed222046d7f847ea09812c4d51916d  SHA256 
annetterawlings\.com  Domain 
010b72def59f45662150e08bb80227fe8df07681dcf1a8d6de8b068ee11e0076  SHA256 

Source link

Leave A Comment