Recruiters are being targeted via spear-phishing emails sent by cybercrooks impersonating job applicants, Proofpoint researchers are warning.
The threat actor - designated as TA4557 by Proofpoint - first reaches out to recruiters with a spear-phishing email with no malicious link or attachment, just an inquiry into whether a job position at a company is still open.
This first email is meant to prime the recruiter to implicitly trust the link provided in the follow-up email, which points to a fake resume website.
The latter uses a CAPTCHA that, when completed, triggers the download of a ZIP file containing a shortcut file.
A scriptlet is downloaded and executed The scriptlet drops a DLL file in the %APPDATA%Microsoft folder and tries to execute it either via Windows Management Instrumentation or the ActiveX Object Run method.
The DLL retrieves a RC4 key, which it uses to decipher the More Eggs backdoor, and drops the backdoor and a MSXSL executable.
WMI is again used to create the MSXSL process, and the DLL deletes itself.
The backdoor, which can be used to profile the system, drop additional malicious payloads and establish persistence, is finally safely ensconced on the target machine.
The researchers say that they have seen an increase in threat actors using benign messages to build trust and engage with a target before sending the malicious content.
The threat actor is regularly changing their sender emails, fake resume domains, and infrastructure to prevent their emails to be flagged by email filters.
This Cyber News was published on www.helpnetsecurity.com. Publication date: Tue, 12 Dec 2023 14:13:10 +0000