Particularly cheeky hackers directly contact recruiting companies by posing as candidates. Their goal ? Encourage their targets to upload a CV containing dangerous malware.
We know that scammers never lack imagination when it comes to setting up scams. New proof is given to us today with an original and particularly daring method. The IT security company Proopoint has just revealed, in a safety note dated December 12, 2023, a new type of attack targeting companies and more particularly recruiters. The technique seems well-crafted and the threat sufficiently worrying to encourage potentially targeted actors to be extra vigilant in their exchanges with third parties.
The attackers’ objective is always the same in such cases: to push their target to download malware in order to gain access to the company’s computer system, access which can then be resold to other malicious actors, used to steal sensitive data or to encrypt the information system in order to demand a ransom.
The novelty here lies in the social engineering method used to achieve this objective, which turns out to be relatively sophisticated and capable of circumventing the vigilance of potential targets. Additionally, malware installed after a successful attack seems particularly difficult to detect by security devices such as antivirus software.
Hacker Candidate: A Sophisticated Social Engineering Attack
The hacker group identified by Proofpoint and behind this new attack method is called TA4557. It had already been carrying out actions targeting companies and recruiters since at least 2022, but until then had contented itself with creating false candidate profiles, containing links leading to booby-trapped sites, on the sites and applications of Jobs.
From now on, the TA4557 group makes direct contact by email with recruiters, posing as candidates interested in specific job offers. Once the target responds, the hackers then begin an exchange aimed at tricking their victim into downloading malware without their knowledge. To do this, the attackers invite the recruiter to view the candidate’s CV on a “personal web page”, via a link present either in the body of the email or in a document attached to the message. Better, in order to bypass the suspicious link detection systems put in place by messaging services, hackers can ask the recruiter to go to the “personal web page” by copying the domain name of the fake’s email address. candidate directly in their browser.
If the recruiter follows the attacker’s instructions, he then finds himself on a page which in effect imitates a candidate’s personal site, and whose content also automatically adapts to the personal information of the false candidate. The fraudulent web page then appears to perform a scan to determine whether the target’s computer may be compromised and, if so, prompts the recruiter to complete a captcha in order to download the fake candidate’s CV, in the form of a ‘a ZIP file containing malware.
This relatively sophisticated attack method seems formidable and capable of fooling the most vigilant users. In most scam or hacking attempts, attackers contact a passive target, who may be on guard against an unexpected contact. In this case, the potential victim is an actively looking recruiter who therefore has no particular reason to be suspicious when contacted by an interested candidate. Furthermore, the use of a personal web page as a CV has become a very widespread practice, because it allows candidates to stand out and demonstrate their skills in graphic design, editorial content or web development for example. All the ingredients are therefore there to ensure that the attempted manipulation is not perceived as the target of the attack and that the target follows the hackers’ instructions without suspicion.
More_Eggs: malware that is difficult to detect
If the attack was successful and the victim unfortunately downloaded the trapped Zip file, malware (malware) is then installed without his knowledge on his machine. This program aims to open a backdoor (backdoor) known as More_Eggs on the infected system, thereby providing full access to the victim’s computer. The malware also appears to use several techniques and strategies to evade scanning by anti-virus tools and low-to-sand process isolation methods (sandbox).
In its security note, Proofpoint details precisely how the malware and the series of actions performed on the victim’s system to open the backdoor, but unfortunately does not indicate technical countermeasures capable of preventing or interrupting the execution of the program. As is often the case with this type of manipulation attack, the best strategies to protect against it remain organizational and behavioral. Proofpoint also concludes its note by inviting companies and organizations potentially concerned to pay particular attention to raising awareness and training of all players in the recruitment chain.