The researchers of Proofpoint are analyzing a malware campaign, known as TA4557which is based on some strategies of social engineering quite sophisticated.
We’re talking about an operation spear-phishing which targets recruiters and hiring managers of large companies, spreading a dangerous virus among them backdoor known as more_eggs.
All this happens through the sending of e-mails by phantom candidates for jobs who, in fact, send curriculum which later turn out to be malicious files. The diffusion methods adopted by TA4557In fact, they work by bypassing email filtering systems, luring recruiters to websites run by cybercriminals.
The campaign, first detected by Proofpoint in October 2023, begins by sending a completely normal email, without any kind of suspicious link or attachment. This allows cyber criminals to do not arouse any suspicion and to make recruiters lower their guard.
In case of response, the candidate is offered the download of a CV from the candidate’s presumed personal website.
Cybercriminals’ techniques to push recruiters to download the fake resume
The cunning of cybercriminals lies precisely inavoid inserting links directed to their site, making it effectively impossible for security systems to block this operation. The domain is simply reported verbatim and appears plausible, without any particular character or characteristic that could alarm the recruiter.
Once the professional is brought to the site, he is offered the download of the file ZIPafter completing a request CAPTCHAwhich is also useful for making everything plausible and, at the same time, for blocking any analyzes by security tools.
In the final ZIP file there is a LNK file passed off as the candidate’s CV. Once started, this activates more_eggs with all the possible consequences of the case.
This backdoor, also known as Golden Chickens, is offered with the formula malware-as-a-service (MaaS). It is a malicious agent exploited by Russian cybercriminals and its first uses in email campaigns date back to 2017.