Threat actors have been targeting recruiters disguised as job applicants to deliver their malware.
Though this method is not unique, the technique and attack vectors have been noted to have changed from their previous methods.
TA4557 is a highly skilled, financially motivated threat actor who primarily uses sophisticated social engineering to lure victims.
This threat actor has been known to be attributed to the FIN6 cybercrime group.
TA4557 has conducted a similar campaign in 2022 to lure job applicants.
As a part of the initial access vector, threat actors send job applications with malicious URLs or attachments, which are delivered to recruiters via the job portals.
Another method was sending an email directly to the recruiters, posing as a job applicant.
When the victims visit the domain or URL specified by the threat actor, a filtering check is performed to determine whether or not to allow the visitor to be redirected to the download page containing the ZIP archive file.
In both of the methods, the threat actor lures the victims to the malicious website to download the archive file containing an LNK shortcut file.
This file, when executed, performs a Living-off-the-Land type of attack for downloading additional payloads on the victim systems.
Inf file to download and execute a malicious DLL in the %APPDATA%Microsoft folder.
As part of executing the DLL payload, the script uses Windows Management Instrumentation and ActiveX Object Run method.
Once this is done, the DLL retrieves the RC4 key for decrypting the More Eggs backdoor that will be downloaded in the next command.
Once the More Eggs backdoor is downloaded and executed, the threat actor can access the victim's systems.
A complete report about this attack vector and technique has been published, which provides detailed information about the threat actor, their attack method, email analysis, and other information.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 13 Dec 2023 12:25:04 +0000