A recent campaign orchestrated by the cybercrime gang TA4557 has surfaced, posing a significant risk to hiring managers and recruiters. The campaign strategically employs the notorious "more_eggs" backdoor malware, utilizing sophisticated social engineering and infrastructure to lure victims into downloading malicious resumes.
Social Engineering in Action
The attack begins with seemingly innocuous emails inquiring about job positions. Strikingly, these initial emails contain no links or attachments, relying on the trust-building process to pave the way for a sophisticated social engineering attack.
Proofpoint Senior Threat Analyst Selena Larson emphasized the effectiveness of the social engineering tactics, stating, "The social engineering is very compelling leading up to the download of the file from the resume website."
Bypassing Secure Email Gateways
TA4557 takes a unique approach by bypassing secure email gateways, a common endpoint security measure. The attackers persuade recruiters to download resumes from attacker-controlled websites, sidestepping traditional security measures.
To avoid detection, attackers direct victims to "refer to the domain name of my email address to access my portfolio." Requiring victims to manually copy and paste malicious domain names increases the likelihood of evading secure email gateways.
Unassuming domain names like "wlynch[.]com" and "annetterawlings[.]com" further disguise the malicious intent, reducing the likelihood of raising alarm bells compared to emails from free providers like Gmail or Yahoo.
Sophisticated Filters and CAPTCHAs
TA4557 employs sophisticated filters on their candidate websites, analyzing details such as the victim's IP address to determine the next stage of the attack. Victims who "pass" these checks are directed to download a ZIP file after completing a CAPTCHA prompt.
Selena Larson explained the dual purpose of CAPTCHA prompts, stating, "CAPTCHAs are typically used by threat actors to ensure a real person is receiving the content and not automated threat detection like sandboxes."
Fileless Malware Takes Center Stage
Upon downloading the ZIP file, victims unwittingly install the more_eggs backdoor. This fileless malware, as described by Keegan Keplinger, research and reporting lead with eSentire’s Threat Response Unit (TRU), takes a unique approach to evade antivirus detection.
"Because malware like more_eggs takes the so-called fileless approach to evade AV [anti-virus], there is no malicious executable for AV to detect," highlighted Keplinger.
Malware-as-a-Service (MaaS) Linked to Russian Cyber Gangs
The more_eggs malware, also known as Golden Chickens, operates as malware-as-a-service (MaaS). It has earned the dubious title of the "cyber weapon of choice" for Russia-based FIN6 and Cobalt Group cyber gangs, according to eSentire.
The malware, distributed by a provider identified as VENOM SPIDER, has been active since 2017, targeting Russian businesses and, more recently, job seekers with phony job offers in 2019.
TA4557's Unique Characteristics
Proofpoint researchers noted the distinctive characteristics of TA4557, setting it apart from other threat actors using more_eggs. The group's unique tool and malware usage, campaign targeting, use of job candidate-themed lures, sophisticated evasive measures, distinct attack chains, and actor-controlled infrastructure make it notably different from other priority threat actors.
As organizations grapple with increasingly sophisticated cyber threats, understanding the nuances of campaigns like TA4557's becomes crucial. Collaboration between cybersecurity experts and businesses is imperative to stay ahead of evolving cybercrime tactics. The vigilance and awareness of individuals involved in hiring processes play a pivotal role in thwarting malicious campaigns and safeguarding sensitive information.
In the face of this new threat landscape, organizations must remain vigilant, adopting proactive cybersecurity measures to protect against the strategies of cybercriminals.
Defend Against Cyber Threats with Network 512
Network 512 stands ready to fortify your defenses. As a Cybersecurity and Managed IT Services company based in Austin, Texas, we understand the importance of safeguarding your business or personal cybersecurity.
Claim Your 1-Hour FREE Cybersecurity Consultation
To help you assess and enhance your cybersecurity posture, Network 512 is offering a complimentary 1-hour Cybersecurity Consultation. Our team of experts will analyze your current security measures, identify potential vulnerabilities, and provide tailored recommendations to bolster your defenses against emerging threats like TA4557.
Don't wait until it's too late – take the first step in securing your digital assets.
