TA4557, a #threatactor tracked since 2018 to be #sending #job-themed #email #threats, has started a new technique of #targeting #recruiters with direct emails that ultimately lead to #malware #delivery, according to Proofpoint. The threat actor known for using More_eggs downloader as the malware dropper has previously only resorted to applying to jobs posted on public job boards or LinkedIn postings, and inserting #malicious #URLs in the application. Since October 2023, however, TA4557 has been observed to be directly mailing employers seeking candidates for various job roles.
In early November 2023, Proofpoint observed TA4557 directing the recipient to "refer to the domain name of my email address to access my portfolio" in the initial email instead of sending the resume website URL directly in a follow-up response, according to the post. This was likely a further attempt to evade automated detection of #suspicious #domains. The #potential #victim, upon visiting the "personal website" as directed by the threat actor, is presented with a page with a #fake #candidate #resume, which filters the user upon visit and decides whether to send them to the next stage of the attack.
The users that pass the threat actor's filtering checks are subsequently sent to the candidate website that employs a captcha, which upon completion, initiates downloading a zip file containing a shortcut file LNK. LNK abuses legitimate functions in "ie4uinit.exe," a Microsoft utility program, to download and execute a scriptlet from a location in another "ie4uinit.inf" file in the zip. Proofpoint noted in the blog post that it has seen an increase in threat actors using benign messages to build trust and engage with a target before sending the malicious content, and TA4557 adopting this technique calls for organizations using third-party job posting to watch out for this actor's tactics, techniques, and procedures (TTPs).
@laninfotech @glenbenjamin #laninfotech #becybersmart #becyberfit #besafe LAN Infotech, LLC
Law School Student| Costumer Service Professional|Multilingual|
10moI applied through LinkedIn, but I would love to say hi and introduce myself to one of your talent acquisition partners too.