CISOs should warn HR staff not to be fooled by a new spear phishing campaign that contains job applications that include updated malware, and take steps to identify and block an improved backdoor.
That warning came Monday from researchers at Arctic Wolf, who said a group some researchers know as Venom Spider, or TA4557, has been recently targeting corporate human resources departments and recruiters to spread malware through an enhanced version of its “More_eggs” backdoor.
The group uses legitimate messaging services and job platforms to apply for real jobs using fake malicious resumés that drop the backdoor, the report said. With backdoor access, the crooks can then steal credentials, customer payment data, intellectual property, or trade secrets.
The threat actor has made several upgrades to More_eggs to infect victims more effectively and to evade automated analysis techniques like sandboxing, Arctic Wolf said.
“The recruiters and hiring managers who work in HR departments are often considered to be the weak point in an organization by attackers, as the very nature of their job means that they must regularly open email attachments (such as resumés and cover letters) emailed to them from external and unknown sources, including job candidates and hiring agencies,” said the report.
Typically, a malicious message in this campaign contains a link, supposedly to allow the manager to download the job seeker’s resumé from an external site. If the manager clicks the link, they are taken to an actor-controlled website from which the recruiter can download a (decoy) resumé. On this site, the user must check a CAPTCHA box, a precaution that helps the site bypass automatic scanners.
If the victim successfully passes the CAPTCHA test, a zip file is downloaded to their device, which the recruiter is led to believe is the candidate’s resumé. Instead, the zip file contains a malicious Windows shortcut (.lnk) file as well as an image file. The .lnk file is the payload for the first stage of the attack chain, while the .jpg image file is just a distraction.
The threat actor’s infrastructure issuing the .lnk file supports server polymorphism, meaning a new malicious .lnk file will be generated which changes the code obfuscation and file size for each individual download .
The .lnk file contains an obfuscated .bat script, which performs several actions when the .lnk file is opened. The script creates a file called %temp%ieuinit.inf and writes obfuscated commands to it, including a Windows batch file.
When this code is executed, Microsoft WordPad is automatically launched in a ploy to distract the user, who is meant to believe the promised resumé is being opened. The batch script will then covertly launch the legitimate Windows utility %windir%system32ie4uinit.exe, which in turn executes the commands from the file ieuinit.inf. The contents of this file will trigger execution of commands within the malicious %temp%ieuinit.inf file.
“This is a living-off-the-land (LOTL) technique that has been around for a while,” the report noted. Its purpose in this case is to use a legitimate application – in this case, ie4uinit.exe – to execute commands and run JavaScript code.
The ieuinit.inf file contains the URL of the next step in the attack chain, downloading the More_eggs dropper. Its executable library is complex, utilizing obfuscated code that generates JavaScript code polymorphically. Execution of the library is time-delayed to evade sandboxing and analysis by researchers.
Experts say resume scams are a long-time – and successful – tactic, because hiring officers are used to opening attachments that are supposed to contain a CV. In addition to data theft, another goal can be espionage, so targets include government departments, defense manufacturers, and IT companies and critical infrastructure providers.
One trick: The applicant includes a password for opening the supposed resumé in their email. That’s a tactic to make it harder for email gateways to directly screen the attachment. In 2018, Mailguard, an Australian email security provider, warned of a phishing campaign using this tactic.
Another tactic is an email that goes to an organization’s managers, purporting to come from HR, with an attachment supposedly of approved hires.
Advice to CISOs
Organizations that use of third-party job posting websites — including sites such as LinkedIn and Indeed.com — should regularly train employees to identify and counter spear phishing attacks, said Arctic Wolf.
“Venom Spider has deliberately engineered their campaign to circumvent signature-based detection systems,” said Ismael Valenzuela, vice president of threat research and intelligence at Arctic Wolf, in an email. “Effective mitigation should integrate targeted controls with scalable email defenses. Secure email gateways can be configured to block file extensions commonly exploited in these campaigns, while system administrators can implement granular policy restrictions on workstations. Network segmentation limits the blast radius in the event of a compromise and frustrates threat actors’ attempts to move laterally upon gaining access.”
“Managed Detection and Response solutions function as one of the final defensive layers, though numerous opportunities exist to interrupt the infection chain earlier,” he added. “Effective cybersecurity ultimately depends on a layered approach rather than overreliance on any single protective measure.”
He provided these recommendations for CISOs, to help mitigate the threat:
Consider the use of Secure Email Gateway solutions to help proactively filter out malicious emails.
Implement an Endpoint Detection and Response (EDR) solution.
Ensure all employees throughout the company are aware of security best practices, including awareness of social engineering techniques. Additional care is required when staff are expected to regularly intake and review documents from the public, such as resumés and online portfolios.
Employees should be cautioned that certain file extensions such as LNK, VBS or ISO may be malicious and should not be opened.
Zip files may bypass automatic email security filters, so additional care should be taken to preview the contents of enclosed files before opening them.
Add or enable a phishing report button in your organization’s email solution, to empower employees to immediately report suspected phishing emails to your SOC or IT security team.
Consider conducting regular internal phishing tests to reinforce security training.
It is vital for leadership to create a streamlined process for staff to report suspicious activity without fear of judgement.
Positive feedback should be provided to those who successfully identify phishing drills, but it is also important to avoid punishing or “naming and shaming” those who fall for phishing test emails. By creating an environment that encourages vigilance, phishing attempts can be caught well before they cause a major incident.
Leadership must acknowledge that even well-trained staff may make mistakes when socially engineered to believe that there is an emergency. Threat actors may use language in their phishing emails that is deliberately calculated to inspire urgency or fear, such as spoofed emails from leadership requesting the employee take immediate action or face the consequences.
Block identified command-and-control infrastructure used in this campaign.
Deploy detection rules for malicious components used by More_eggs malware.
Carefully review logs for indicators of compromise.
No Responses