Recruiters and anyone else involved in hiring processes should be knowledgeable about this social engineering attack threat.
A new report from U.S.-based cybersecurity company Proofpoint exposes a new attack campaign operated by a financially-oriented threat actor dubbed TA4557 with high financial data theft risks and possibly more risks such as intellectual property theft.
In this social engineering campaign, the threat actor targets recruiters with benign content before infecting their machines with the More Eggs malware.
This threat actor takes extra care to avoid being detected.
The latest attack campaign from threat actor TA4557, as exposed by Proofpoint, targets recruiters by sending them a direct email.
Figure B. An alternative method used by the threat actor consists of replying to the recruiter with a PDF or Microsoft Office Word file containing instructions to visit the fake resume website.
The website employs filtering mechanisms to assess whether the subsequent phase of the attack should be initiated.
Once the DLL is executed, it decrypts the More Eggs malware along with the legitimate MSXSL executable.
According to Proofpoint, More Eggs is a malware that enables persistence and profiling of the infected system; it is also often used to download additional payloads.
In other attack campaigns, mostly in 2022 and 2023, the threat actor used a different technique that mainly consisted of applying for open positions on job offer websites.
The threat actor used malicious URLs or files containing malicious URLs in the application, but the URLs were not hyperlinked, meaning the recipient had to copy and paste the URLs directly into their browser.
According to Proofpoint researchers, TA4557 still uses that technique in parallel with the newly reported technique.
The threat actor previously created fake LinkedIn profiles, pretending to be a recruiter and reaching out to people looking for a job.
The use of LOTL techniques is an indication that the threat actor tries to stay discreet and undetected.
The DLL file used by the threat actor employs anti-sandbox and anti-analysis techniques, such as incorporating a loop strategically crafted to extend the execution time while slowly retrieving the RC4 key needed to decipher the More Eggs backdoor.
Proofpoint believes the same threat actor targeted anti-money laundering officers at U.S. credit unions in 2019.
From a global point of view, the researchers noticed an increase in threat actors engaging their targets using benign content first to build confidence during the interaction before sharing harmful content.
TA4557 uses social engineering to infect the machines of unsuspecting victims, which are recruiters in this attack campaign; in the past, the threat actor also targeted individuals looking for jobs.
It is advised to educate all people involved in hiring processes about these kinds of social engineering techniques.
Email content should be analyzed by security solutions capable of detecting anomalies instead of only URLs or attached files to try to detect social engineering-based campaigns.
This Cyber News was published on www.techrepublic.com. Publication date: Tue, 12 Dec 2023 19:13:04 +0000