www.helpnetsecurity.com
Open in
urlscan Pro
35.160.183.101
Public Scan
URL:
https://www.helpnetsecurity.com/2023/12/12/recruiters-spear-phishing/
Submission: On December 13 via api from TR — Scanned from DE
Submission: On December 13 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
POST
<form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-244483 mc4wp-ajax" method="post" data-id="244483" data-name="Footer newsletter form">
<div class="mc4wp-form-fields">
<div class="hns-newsletter">
<div class="hns-newsletter__top">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__title">
<i>
<svg class="hic">
<use xlink:href="#hic-plus"></use>
</svg>
</i>
<span>Cybersecurity news</span>
</div>
</div>
</div>
</div>
<div class="hns-newsletter__bottom">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__body">
<div class="row">
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="520ac2f639" id="mcs1">
<label class="form-check-label text-nowrap" for="mcs1">Daily Newsletter</label>
</div>
</div>
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="d2d471aafa" id="mcs2">
<label class="form-check-label text-nowrap" for="mcs2">Weekly Newsletter</label>
</div>
</div>
</div>
</div>
<div class="form-check form-control-lg mb-3">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="28abe5d9ef" id="mcs3">
<label class="form-check-label" for="mcs3">(IN)SECURE - monthly newsletter with top articles</label>
</div>
<div class="input-group mb-3">
<input type="email" name="email" id="email" class="form-control border-dark" placeholder="Please enter your e-mail address" aria-label="Please enter your e-mail address" aria-describedby="hns-newsletter-submit-btn" required="">
<button class="btn btn-dark rounded-0" type="submit" id="hns-newsletter-submit-btn">Subscribe</button>
</div>
<div class="form-check">
<input class="form-check-input" type="checkbox" name="AGREE_TO_TERMS" value="1" id="mcs4" required="">
<label class="form-check-label" for="mcs4">
<span>I have read and agree to the <a href="https://www.helpnetsecurity.com/newsletter/" target="_blank" rel="noopener" class="d-inline-block">terms & conditions</a>
</span>
</label>
</div>
</div>
</div>
</div>
</div>
</div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
value="1702433616"><input type="hidden" name="_mc4wp_form_id" value="244483"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-1">
<div class="mc4wp-response"></div>
</form>Text Content
* News * Features * Expert analysis * Videos * Events * Whitepapers * Industry news * Product showcase * Newsletters * * * Please turn on your JavaScript for this page to function normally. Zeljka Zorz, Editor-in-Chief, Help Net Security December 12, 2023 Share RECRUITERS, BEWARE OF CYBERCROOKS POSING AS JOB APPLICANTS! Recruiters are being targeted via spear-phishing emails sent by cybercrooks impersonating job applicants, Proofpoint researchers are warning. “The tone and content of the emails suggest to the recipient the actor is a legitimate candidate, and because the actor specifically targets people who are involved in recruiting and hiring, the emails do not immediately seem suspicious,” they noted. THE ATTACK STARTS WITH AN EMAIL, ENDS WITH MALWARE The threat actor – designated as TA4557 by Proofpoint – first reaches out to recruiters with a spear-phishing email with no malicious link or attachment, just an inquiry into whether a job position at a company is still open. This first email is meant to prime the recruiter to implicitly trust the link provided in the follow-up email, which points to a fake resume website. (Sometimes there is no link: the recipient is instructed to copy-paste the domain name of the sender’s email address to access the sender’s personal site.) A FOLLOW-UP EMAIL (SOURCE: PROOFPOINT) “The website uses filtering to determine whether to direct the user to the next stage of the attack chain,” the researchers explained. “If the potential victim does not pass the filtering checks, they are directed to a page containing a resume in plain text. Alternatively, if they pass the filtering checks, they are directed to the candidate website.” The latter uses a CAPTCHA that, when completed, triggers the download of a ZIP file containing a shortcut file (LNK). If the victim executes the LNK file, a series of actions are performed in the background: * A scriptlet is downloaded and executed (by abusing legitimate software functions) * The scriptlet drops a DLL file in the %APPDATA%\Microsoft folder and tries to execute it either via Windows Management Instrumentation (WMI) or the ActiveX Object Run method * The DLL retrieves a RC4 key, which it uses to decipher the More_Eggs backdoor, and drops the backdoor and a MSXSL executable * WMI is again used to create the MSXSL process, and the DLL deletes itself The backdoor, which can be used to profile the system, drop additional malicious payloads and establish persistence, is finally safely ensconced on the target machine. EVADING AUTOMATED DETECTION The researchers say that they have seen an increase in threat actors using benign messages to build trust and engage with a target before sending the malicious content. “Proofpoint has been tracking TA4557 since 2018 as a skilled, financially motivated threat actor known to distribute the More_Eggs backdoor,” the researchers said. “In recently observed campaigns, TA4557 used both the new method of emailing recruiters directly as well as the older technique of applying to jobs posted on public job boards to commence the attack chain.” The threat actor is regularly changing their sender emails, fake resume domains, and infrastructure to prevent their emails to be flagged by email filters. For the same reason the group starts their attack with an email that automated security tools are unlikely to “see” as suspicious or malicious. More about * cybercrime * email * malware * Proofpoint * spear-phishing Share FEATURED NEWS * Lazarus exploit Log4Shell vulnerability to deliver novel RAT malware * Recruiters, beware of cybercrooks posing as job applicants! * “Pool Party” process injection techniques evade EDRs Download: The Ultimate Guide to the CISSP SPONSORED * eBook: Cybersecurity career hacks for newcomers * Download: The Ultimate Guide to the CISSP * eBook: Keeping Active Directory out of hackers’ cross-hairs * Guide: SaaS Offboarding Checklist DON'T MISS * Lazarus exploit Log4Shell vulnerability to deliver novel RAT malware * Recruiters, beware of cybercrooks posing as job applicants! * “Pool Party” process injection techniques evade EDRs * Many popular websites still cling to password creation policies from 1985 * eIDAS: EU’s internet reforms will undermine a decade of advances in online security Cybersecurity news Daily Newsletter Weekly Newsletter (IN)SECURE - monthly newsletter with top articles Subscribe I have read and agree to the terms & conditions Leave this field empty if you're human: © Copyright 1998-2023 by Help Net Security Read our privacy policy | About us | Advertise Follow us ×