TA4557 Targets Recruiters Directly via Email
December 2023 by Proofpoint, Inc.
Proofpoint unveiled the results of its latest research into the activities of cybercriminal group TA4557 - a threat actor posing as a job applicant to targeted companies.
The attack technique is simple, but highly personalised and effective: the cybercriminal group applies for a job by email, with an attachment containing a file purporting to be the applicant’s CV. The file contains a malicious URL that installs the More_Eggs backdoor on the recruiter’s computer, a loop strategically designed to extend its execution time, improving its evasion capabilities in a sandbox environment. This backdoor enables cybercriminals to gain access to the terminal at a later date, but also to sell this access to the corporate network to other cybercriminals.
In campaigns observed in early November 2023, Proofpoint observed that TA4557 asked the recipient to "refer to the domain name of my email address to access my portfolio" in the initial email instead of sending the CV website URL directly in a follow-up response. This is yet another attempt to evade automatic detection of suspicious domains.
An email purporting to come from a candidate and inviting the recipient to visit the domain indicated in the email address.
According to Proofpoint researchers, "TA4557 is clearly distinguishable from other threat actors tracked by Proofpoint due to the unique use of malware and tools, campaign targeting, use of job candidate-themed lures, sophisticated evasion measures employed to prevent detection, distinct attack chains and infrastructure controlled by the actor."
The main findings of the research are as follows:
– Since 2018, the threat actor has demonstrated highly advanced social engineering tactics, historically overlapping with activity associated with cybercriminal group FIN6.
– Over the past two years, TA4557 has been applying to existing open job opportunities claiming to be a legitimate candidate. The actor has included malicious URLs or files containing malicious URLs in the application.
– In the new attack technique, TA4557 targets recruiters with benign direct emails, expressing interest in a vacancy. Once the recipient responds to the initial email, the actor responds by sending a link to a website controlled by the actor that poses as a candidate CV or a PDF or Word attachment containing instructions to visit the fake CV website.
– Since October 2023, Proofpoint has been tracking TA4557, which uses both the new method of sending emails directly to recruiters and the old technique of applying to jobs advertised on public job boards to start the attack chain.