Financially motivated threat actor known as FIN6 It has been observed to leverage fake resumes hosted on Amazon Web Services (AWS) infrastructure to provide a malware family called More_eggs.
“By launching conversations through platforms such as LinkedIn, under the guise of job seekers, the group actually builds relationships with recruiters before delivering phishing messages that lead to malware,” the Domaintools Investigations (DTI) team said in a report shared with Hacker News.
More_eggs is a work by another cybercrime group called Golden Chickens (aka Venom Spider), which has recently been attributed to a new family of malware such as Terrastealerv2 and Terralogger. JavaScript-based backdoors can enable subsequent attacks that include credentials, system access, and ransomware.
One known customer for malware is FIN6 (aka Camouflage Tempest, Gold Franklin, ITG08, Skeleton Spider, and TA4557). It has been operational since 2012.
Hacking groups also have a history of using MageCart JavaScript skimmers to target e-commerce sites to collect financial information.
According to Payment Card Services Company Visa, FIN6 has used More_eggs as a first-stage payload until 2018 to infiltrate several e-commerce merchants, inserting malicious JavaScript code into the checkout page to set the ultimate goal of stealing card data.
“The data from the stolen payment cards will later be monetized by the group, sold to intermediaries, and openly sold in markets such as JokerStash before shutting down in early 2021,” SecureWorks said in the profile of threat actors.
The latest activities from FIN6 include the use of social engineering to initiate contact with recruiters on professional job platforms such as LinkedIn, and in fact, pose as a job seeker who distributes links (e.g. Bobbyweisman()com, Ryanberardi(.)com).
Domaintoools said fake domains disguised as individual portfolios have been registered anonymously through adaddy and anonymously due to the extra layer of obfuscation that makes attributes and takedown efforts more difficult.
“By taking advantage of GoDaddy’s domain privacy services, Fin6 further protects true subscriber details from the public view and takedown team,” the company said. “GoDaddy is a well-reputed and widely used domain registrar, but its built-in privacy features allow threat actors to easily hide their identity.”
Another notable aspect is to use trusted cloud services such as AWS Elastic Compute Cloud (EC2) and S3 to host phishing sites. Additionally, the site comes with built-in traffic filtering logic so that only future victims will be provided with a link to download the expected resume after completing the CAPTCHA check.
“Only users who appear to be on a home IP address can download malicious documents using a typical Windows-based browser,” Domaintools said. “If the visitor comes from a known VPN service, a cloud infrastructure such as AWS, or a corporate security scanner, this site will instead provide a harmless, plain text version of your resume.”
The downloaded resume takes the form of a ZIP archive that triggers an infection sequence when opened to deploy the More_Eggs malware.
“FIN6’s skeleton spider campaign demonstrates how effective a low-complexity phishing campaign is when combined with cloud infrastructure and advanced evasion,” the researchers concluded. “We’re ahead of many detection tools by using realistic job lures, bypassing the scanner and hiding the malware behind the walls of the capture.”
