{"id":3067,"date":"2025-05-06T00:45:31","date_gmt":"2025-05-06T00:45:31","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3067"},"modified":"2025-05-06T00:45:31","modified_gmt":"2025-05-06T00:45:31","slug":"fake-resumes-targeting-hr-managers-now-come-with-updated-backdoor","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3067","title":{"rendered":"Fake resumes targeting HR managers now come with updated backdoor"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

CISOs should warn HR staff not to be fooled by a new spear phishing campaign that contains job applications that include updated malware, and take steps to identify and block an improved backdoor.<\/p>\n

That warning came Monday from researchers at Arctic Wolf, who said a group some researchers know as Venom Spider, or TA4557, has been recently targeting corporate human resources departments and recruiters to spread malware through an enhanced version of its \u201cMore_eggs\u201d backdoor.<\/p>\n

The group uses legitimate messaging services and job platforms to apply for real jobs using fake malicious resum\u00e9s that drop the backdoor, the report said. With backdoor access, the crooks can then steal credentials, customer payment data, intellectual property, or trade secrets.<\/p>\n

The threat actor has made several upgrades to More_eggs to infect victims more effectively and to evade automated analysis techniques like sandboxing, Arctic Wolf said.<\/p>\n

\u201cThe recruiters and hiring managers who work in HR departments are often considered to be the weak point in an organization by attackers, as the very nature of their job means that they must regularly open email attachments (such as resum\u00e9s and cover letters) emailed to them from external and unknown sources, including job candidates and hiring agencies,\u201d said the report<\/a>.<\/p>\n

Typically, a malicious message in this campaign contains a link, supposedly to allow the manager to download the job seeker\u2019s resum\u00e9 from an external site. If the manager clicks the link, they are taken to an actor-controlled website from which the recruiter can download a (decoy) resum\u00e9. On this site, the user must check a CAPTCHA box, a precaution that helps the site bypass automatic scanners.<\/p>\n

If the victim successfully passes the CAPTCHA test, a zip file is downloaded to their device, which the recruiter is led to believe is the candidate\u2019s resum\u00e9. Instead, the zip file contains a malicious Windows shortcut (.lnk) file as well as an image file. The\u00a0.lnk\u00a0file is the payload for the first stage of the attack chain, while the\u00a0.jpg\u00a0image file is just a distraction.<\/p>\n

The threat actor\u2019s infrastructure issuing the\u00a0.lnk\u00a0file supports server polymorphism, meaning a new malicious\u00a0.lnk\u00a0file will be generated which changes the code obfuscation and file size for each individual download .\u00a0\u00a0<\/p>\n

The\u00a0.lnk\u00a0file contains an obfuscated .bat\u00a0script, which performs several actions when the\u00a0.lnk\u00a0file is opened.\u00a0The script creates a file called\u00a0%temp%ieuinit.inf\u00a0<\/em>and writes obfuscated commands to it, including a Windows batch file.<\/p>\n

When this code is executed, Microsoft WordPad is automatically launched in a ploy to distract the user, who is meant to believe the promised resum\u00e9 is being opened. The batch script will then covertly launch the legitimate Windows utility\u00a0%windir%system32ie4uinit.exe<\/em>,\u00a0which in turn executes the commands from the file\u00a0ieuinit.inf<\/em>. The contents of this file will trigger execution of commands within the malicious\u00a0%temp%ieuinit.inf\u00a0<\/em>file.\u00a0<\/p>\n

\u201cThis is a living-off-the-land (LOTL) technique that has been around for a while,\u201d the report noted. Its purpose in this case is to use a legitimate application \u2013 in this case,\u00a0ie4uinit.exe<\/em>\u00a0\u2013 to execute commands and run JavaScript code. <\/p>\n

The\u00a0ieuinit.inf<\/em>\u00a0file contains the URL of the next step in the attack chain,\u00a0downloading the More_eggs dropper. Its executable library is complex, utilizing obfuscated code that generates JavaScript code polymorphically. Execution of the library is time-delayed to evade sandboxing and analysis by researchers.<\/p>\n

Experts say resume scams are a long-time \u2013 and successful \u2013 tactic, because hiring officers are used to opening attachments that are supposed to contain a CV. In addition to data theft, another goal can be espionage, so targets include government departments, defense manufacturers, and IT companies and critical infrastructure providers.<\/p>\n

One trick: The applicant includes a password for opening the supposed resum\u00e9 in their email. That\u2019s a tactic to make it harder for email gateways to directly screen the attachment. In 2018, Mailguard, an Australian email security provider, warned of a phishing campaign using this tactic.<\/a><\/p>\n

Another tactic is an email that goes to an organization\u2019s managers, purporting to come from HR, with an attachment supposedly of approved hires.<\/p>\n

Advice to CISOs<\/h2>\n

Organizations that use of third-party job posting websites \u2014 including sites such as LinkedIn and Indeed.com \u2014 should regularly train employees to identify and counter spear phishing attacks, said Arctic Wolf.<\/p>\n

\u201cVenom Spider has deliberately engineered their campaign to circumvent signature-based detection systems,\u201d said Ismael Valenzuela, vice president of threat research and intelligence at Arctic Wolf, in an email. \u201cEffective mitigation should integrate targeted controls with scalable email defenses. Secure email gateways can be configured to block file extensions commonly exploited in these campaigns, while system administrators can implement granular policy restrictions on workstations. Network segmentation limits the blast radius in the event of a compromise and frustrates threat actors\u2019 attempts to move laterally upon gaining access.\u201d\u00a0<\/p>\n

\u201cManaged Detection and Response solutions function as one of the final defensive layers, though numerous opportunities exist to interrupt the infection chain earlier,\u201d he added. \u201cEffective cybersecurity ultimately depends on a layered approach rather than overreliance on any single protective measure.\u201d<\/p>\n

He provided these recommendations for CISOs, to help mitigate the threat:\u00a0<\/p>\n

Consider the use of Secure Email Gateway solutions to help proactively filter out malicious emails.\u00a0\u00a0<\/p>\n

Implement an Endpoint Detection and Response (EDR) solution.\u00a0<\/p>\n

Ensure all employees throughout the company are aware of security best practices, including awareness of social engineering techniques. Additional care is required when staff are expected to regularly intake and review documents from the public, such as resum\u00e9s and online portfolios.\u00a0<\/p>\n

Employees should be cautioned that certain file extensions such as LNK, VBS or ISO may be malicious and should not be opened.\u00a0\u00a0<\/p>\n

Zip files may bypass automatic email security filters, so additional care should be taken to preview the contents of enclosed files before opening them.\u00a0<\/p>\n

Add or enable a phishing report button<\/a> in your organization\u2019s email solution, to empower employees to immediately report suspected phishing emails to your SOC or IT security team.\u00a0\u00a0<\/p>\n

Consider conducting regular internal phishing tests to reinforce security training.\u00a0<\/p>\n

It is vital for leadership to create a streamlined process for staff to report suspicious activity without fear of judgement.\u00a0<\/p>\n

Positive feedback should be provided to those who successfully identify phishing drills, but it is also important to avoid punishing or \u201cnaming and shaming\u201d those who fall for phishing test emails. By creating an environment that encourages vigilance, phishing attempts can be caught well before they cause a major incident.\u00a0<\/p>\n

Leadership must acknowledge that even well-trained staff may make mistakes when socially engineered to believe that there is an emergency. Threat actors may use language in their phishing emails that is deliberately calculated to inspire urgency or fear, such as spoofed emails from leadership requesting the employee take immediate action or face the consequences.\u00a0<\/p>\n

Block identified command-and-control infrastructure used in this campaign.\u202f\u00a0\u00a0<\/p>\n

Deploy detection rules for malicious components used by More_eggs malware.\u202f\u00a0\u00a0<\/p>\n

Carefully review logs for indicators of compromise.\u00a0<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

CISOs should warn HR staff not to be fooled by a new spear phishing campaign that contains job applications that include updated malware, and take steps to identify and block an improved backdoor. That warning came Monday from researchers at Arctic Wolf, who said a group some researchers know as Venom Spider, or TA4557, has […]<\/p>\n","protected":false},"author":0,"featured_media":3068,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3067","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3067"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3067"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3067\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3068"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3067"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3067"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3067"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}