TA4557, a hacker group tracked since 2018 for sending work-themed email threats, is utilizing a new targeting technique that involves sending emails directly to recruiters who ultimately drop malware, from according to Proofpoint.
The threat operator, known for using More_eggs as a malware dropper, previously only turned to jobs advertised on public job boards or LinkedIn posts to insert malicious URLs into the app. Since October, however, TA4557 has been observed emailing employers directly seeking candidates for various roles.
“In recently observed campaigns, TA4557 used both the new method of emailing recruiters directly and the older technique of applying to jobs advertised on public job boards to begin the attack chain,” Proofpoint said in a post on your corporate blog.
Within the new technique, the attacker first sends the recruiter an email to ask about a job opening. Once he responds to the message, the TA4557 operator returns with a URL linked to a website he controls where the candidate’s fake CV is located. “Alternatively, the threat operator was observed responding with a PDF or Word attachment containing instructions to visit the fake resume website,” Proofpoint added in the post.
In early November, the cybersecurity firm observed TA4557 directing the recipient in the initial email to “query the domain name of the email address to access my portfolio” rather than directly sending the website URL with the resume in the response, according to the blog post. This was likely yet another attempt to avoid automatic detection of suspicious domains, Proofpoint says.
The potential victim, when visiting the “personal website”, as instructed by the threat operator, is presented with a page with a fake candidate resume, which filters the user after the visit and decides whether to send him to the next step of the attack.
Users who pass the filtering checks are subsequently sent to the “candidate website” which, upon completion, begins downloading a zip file containing an LNK shortcut file. LNK exploits legitimate functions in Microsoft’s utility program “ie4uinit.exe” to download and execute a scriptlet from one location in another “ie4uinit.inf” file in the zip.
“This attack technique is called living off the land (LotL, or living off the land, in free translation),” said Proofpoint. “The scriptlet decrypts and drops a DLL in the %APPDATA%\Microsoft folder. The DLL employs anti-sandbox and anti-analysis techniques for evasion and drops the More_Eggs backdoor.”
More_eggs is a Javascript backdoor used to establish persistence, machine profiling, and drop additional payloads. TA4557 has been tracked since 2018 as a skilled threat operator whose goal is to obtain financial gain using the backdoor, which is capable of profiling the endpoint and sending additional payloads.
Proofpoint noted in the blog post that it has seen an increase in threat actors using benign messages to build trust and engage with a target before sending malicious content, and TA4557 adopting this technique should cause organizations using advertising employing third parties, be aware of the tactics, techniques and procedures (TTPs) of this threat operator.
Sources: CisoAdvisor, ProofPoint
