Threat actors have been targeting recruiters disguised as job applicants to deliver their malware. Though this method is not unique, the technique and attack vectors have been noted to have changed from their previous methods.
TA4557 is a highly skilled, financially motivated threat actor who primarily uses sophisticated social engineering to lure victims. This threat actor has been known to be attributed to the FIN6 cybercrime group. Additionally, TA4557 has conducted a similar campaign in 2022 to lure job applicants.
Malware Targeting Recruiters
As a part of the initial access vector, threat actors send job applications with malicious URLs or attachments, which are delivered to recruiters via the job portals. Another method was sending an email directly to the recruiters, posing as a job applicant.
When the victims visit the domain or URL specified by the threat actor, a filtering check is performed to determine whether or not to allow the visitor to be redirected to the download page containing the ZIP archive file.
In both of the methods, the threat actor lures the victims to the malicious website to download the archive file containing an LNK shortcut file. This file, when executed, performs a Living-off-the-Land type of attack for downloading additional payloads on the victim systems.
More_Eggs Backdoor
The LNK uses the ie4uinit.exe file and ie4uinit.inf file to download and execute a malicious DLL in the %APPDATA%Microsoft folder. As part of executing the DLL payload, the script uses Windows Management Instrumentation (WMI) and ActiveX Object Run method.
Once this is done, the DLL retrieves the RC4 key for decrypting the More_Eggs backdoor that will be downloaded in the next command. Once the More_Eggs backdoor is downloaded and executed, the threat actor can access the victim’s systems.
Furthermore, a complete report about this attack vector and technique has been published, which provides detailed information about the threat actor, their attack method, email analysis, and other information.
Indicators of Compromise
| Indicator | Description |
| wlynch.com | Domain |
| 9d9b38dffe43b038ce41f0c48def56e92dba3a693e3b572dbd13d5fbc9abc1e4 | SHA256 |
| 6ea619f5c33c6852d6ed11c52b52589b16ed222046d7f847ea09812c4d51916d | SHA256 |
| annetterawlings.com | Domain |
| 010b72def59f45662150e08bb80227fe8df07681dcf1a8d6de8b068ee11e0076 | SHA256 |