2 min read

How a cybercriminal group is targeting recruiters with malware

How a cybercriminal group is targeting recruiters with malware
Photo by João Ferrão / Unsplash

Recruiters are always looking for the best talent to fill their vacancies. But what if some candidates who apply for the jobs are cybercriminals in disguise? That is the scenario that a security company called Proofpoint has uncovered in a recent report.

Proofpoint has been tracking a threat actor group, dubbed TA4557, since 2018. This group is known for distributing a malware called More_Eggs, which can steal financial data and possibly other sensitive information from the infected computers.

The group has been using a clever social engineering technique to lure recruiters into opening malicious links or files. The technique involves sending benign emails to recruiters, expressing interest in a job opening. The emails do not contain malicious content but are designed to elicit a response from the recruiters.

If the recruiters reply to the emails, the group sends a follow-up email with a link to a fake resume website or a PDF or Word file with instructions to visit the fake website. The website looks like a legitimate resume or portfolio site, but it has a hidden mechanism to filter out unwanted visitors.

If the visitors pass the filtering criteria, they are asked to solve a CAPTCHA, which triggers the download of a ZIP file containing a Windows shortcut (LNK) file. If the LNK file is executed, it uses a technique called Living Off The Landdemonstrating, which abuses legitimate software functions to download and run a scriptlet from a remote location.

The scriptlet then decrypts and drops a DLL file, which in turn decrypts and runs the More_Eggs malware along with a legitimate MSXSL executable. The malware then establishes a backdoor connection to the attackers' server, allowing them to access the compromised system and perform malicious actions.

Proofpoint describes TA4557 as a skilled, financially motivated threat actor group demonstrating sophisticated social engineering. The group regularly changes its sender emails, fake resume domains and infrastructure to avoid detection.

This attack campaign shows how cybercriminals can exploit the human factor to bypass security defences and infect unsuspecting victims. Recruiters and anyone involved in hiring processes should be aware of this threat and exercise caution when dealing with unsolicited emails from unknown senders. They should also use reliable security software and update their systems to prevent malware infections.

Please let me know if you have any feedback or questions via Linkedin.