Proofpoint has warned recruiters of a skilled threat actor targeting them with emails designed to deploy malware.
TA4557 is a financially motivated threat actor known to distribute the More_Eggs backdoor, which is designed to establish persistence, profile the targeted machine and drop additional payloads.
Throughout 2022 and most of 2023 the actor has been replying to open job listings on third-party job boards and, more recently, targeting recruiters direct.
“Specifically in the attack chain that uses the new direct email technique, once the recipient replies to the initial email, the actor was observed responding with a URL linking to an actor-controlled website posing as a candidate resume,” Proofpoint explained.
“Alternatively, the actor was observed replying with a PDF or Word attachment containing instructions to visit the fake resume website.”
Read more on threats posed by resumes: Phishers Hide #COVID19 Malware in CVs and Medical Leave Forms
In some recent phishing attempts, the threat actor tried to bypass security filters by requesting that the recipient “refer to the domain name of my email address to access my portfolio.”
If they follow these instructions and visit the sender’s website, they will be presented with a CAPTCHA page, which, if completed, will begin a download of a zip file containing a shortcut file (LNK).
“The LNK, if executed, abuses legitimate software functions in ‘ie4uinit.exe’ to download and execute a scriptlet from a location stored in the ‘ie4uinit.inf’ file,” the security vendor explained.
“The scriptlet decrypts and drops a DLL in the %APPDATA%\Microsoft folder. Next, it attempts to create a new regsrv32 process to execute the DLL using Windows Management Instrumentation (WMI) and, if that fails, tries an alternative approach using the ActiveX Object Run method.”
These “living-off-the-land” techniques are designed to deploy a DLL which ultimately drops the More_Eggs backdoor on the victim’s machine.
Proofpoint urged recruiters to update their user awareness training to mitigate the threat posed by TA4557, which is also linked to FIN6.
“Proofpoint has seen an increase in threat actors using benign messages to build trust and engage with a target before sending the malicious content, and TA4557 adopting this technique may convince recipients to be more trusting of the interaction and subsequent content shared with them,” it concluded.
“Additionally, the group is regularly changing their sender emails, fake resume domains, and infrastructure. This is done alongside building rapport with the target before sending a payload and poses a problem for defenders and automated security tools as it can be difficult to detect the content as malicious.”