Hackers are now pretending to be jobseekers to spread malware

DomainTools spots hackers creating fake job seeker personas
They target recruiters and HR managers with the More Eggs backdoor
The backdoor can steal credentials and execute commands

Hackers are now pretending to be jobseekers, targeting recruiters and organizations with dangerous backdoor malware, experts have warned.

Cybersecurity researchers DomainTools recently spotted a threat actor known as FIN6 using this method in the wild, noting the hackers would first create fake personas on LinkedIn, and create fake resume websites to go along.

The website domains are bought anonymously via GoDaddy, and are hosted on Amazon Web Services (AWS), to avoid being flagged or quickly taken down.

More Eggs

The hackers would then reach out to recruiters, HR managers, and business owners on LinkedIn, building a rapport before moving the conversation to email. Then, they would share the resume website which filters visitors based on their operating system and other parameters. For example, people coming through VPN or cloud connections, as well as those running macOS or Linux, are served benign content.

Those that are deemed a good fit are first served a fake CAPTCHA, after which they are offered a .ZIP archive for download. This archive, in what the recruiters believe is the resume, actually drops a disguised Windows shortcut file (LNK) that runs a script which downloads the “More Eggs” backdoor.

More Eggs is a modular backdoor that can execute commands, steal login credentials, deliver additional payloads, and execute PowerShell in a simple yet effective attack relying on social engineering and advanced evasion.

AWS has since came forward to thank the security community for the findings, and to stress that campaigns like this one violate its terms of service and are frequently removed from the platform.

“AWS has clear terms that require our customers to use our services in compliance with applicable laws,” an AWS spokesperson said.

“When we receive reports of potential violations of our terms, we act quickly to review and take steps to disable prohibited content. We value collaboration with the security research community and encourage researchers to report suspected abuse to AWS Trust & Safety through our dedicated abuse reporting process.”

Via BleepingComputer

What's Hot

Who will own your company’s AI layer? Glean’s CEO explains

How to get into a16z’s super-competitive Speedrun startup accelerator program

Twilio co-founder’s fusion power startup raises $450M from Bessemer and Alphabet’s GV

PhantomRaven Malware Found in 126 npm Packages Stealing GitHub Tokens From Devs

DNS Poisoning Flaw, Supply-Chain Heist, Rust Malware Trick and New RATs Rising

CISA Flags VMware Zero-Day Exploited by China-Linked Hackers in Active Attacks

College social app Fizz expands into grocery delivery

A Former Apple Luminary Sets Out to Create the Ultimate GPU Software

The Reason Murderbot’s Tone Feels Off

Most Popular