TA4557, a threat actor tracked since 2018 to be sending job-themed email threats, has started a new technique of targeting recruiters with direct emails that ultimately lead to malware delivery, according to Proofpoint.
The threat actor known for using More_eggs downloader as the malware dropper has previously only resorted to applying to jobs posted on public job boards or LinkedIn postings, and inserting malicious URLs in the application.
Since October 2023, however, TA4557 has been observed to be directly mailing employers seeking candidates for various job roles.
“In recently observed campaigns, TA4557 used both the new method of emailing recruiters directly as well as the older technique of applying to jobs posted on public job boards to commence the attack chain,” Proofpoint said in a blog post.
Direct emails with malicious URLs
Within the new email technique, the attacker first sends the recruiter an outreach email to enquire about a job posting. Once the recipient replies to the initial email, the actor responds with a URL linking to a TA4557-controlled website posing as the candidate’s resume.
“Alternatively, the actor was observed replying with a PDF or Word attachment containing instructions to visit the fake resume website,” Proofpoint added in the post.
In early November 2023, Proofpoint observed TA4557 directing the recipient to “refer to the domain name of my email address to access my portfolio” in the initial email instead of sending the resume website URL directly in a follow-up response, according to the post. This was likely a further attempt to evade automated detection of suspicious domains.
The potential victim, upon visiting the “personal website” as directed by the threat actor, is presented with a page with a fake candidate resume, which filters the user upon visit and decides whether to send them to the next stage of the attack.
‘Living off the land’ to drop More_eggs backdoor
The users that pass the threat actor’s filtering checks are subsequently sent to the candidate website that employs a captcha, which upon completion, initiates downloading a zip file containing a shortcut file LNK. LNK abuses legitimate functions in “ie4uinit.exe,” a Microsoft utility program, to download and execute a scriptlet from a location in another “ie4uinit.inf” file in the zip.
“This technique is commonly referred to as ‘Living Off The Land’ (LOTL),” Proofpoint said. “The scriptlet decrypts and drops a DLL in the %APPDATA%Microsoft folder. The DLL employs anti-sandbox and anti-analysis techniques for evasion and drops the More_Eggs backdoor.”
More_eggs is a Javascript backdoor used to establish persistence, profile the machine, and drop additional payloads. TA4557 has been tracked since 2018 as a skilled, financially motivated threat actor using the More_Eggs backdoor capable of profiling the endpoint and sending additional payloads.
Proofpoint noted in the blog post that it has seen an increase in threat actors using benign messages to build trust and engage with a target before sending the malicious content, and TA4557 adopting this technique calls for organizations using third-party job posting to watch out for this actor’s tactics, techniques, and procedures (TTPs).