Recommended reading

Hackers are now pretending to be jobseekers to spread malware

News
By published

As if fake recruiters weren't enough, fake candidates are also now a threat

Fingers typing on a laptop keyword, with many small images of people portrait pictures in the background.
(Image credit: Isabela Bela / Pixabay)
  • DomainTools spots hackers creating fake job seeker personas
  • They target recruiters and HR managers with the More Eggs backdoor
  • The backdoor can steal credentials and execute commands

Hackers are now pretending to be jobseekers, targeting recruiters and organizations with dangerous backdoor malware, experts have warned.

Cybersecurity researchers DomainTools recently spotted a threat actor known as FIN6 using this method in the wild, noting the hackers would first create fake personas on LinkedIn, and create fake resume websites to go along.

The website domains are bought anonymously via GoDaddy, and are hosted on Amazon Web Services (AWS), to avoid being flagged or quickly taken down.

More Eggs

The hackers would then reach out to recruiters, HR managers, and business owners on LinkedIn, building a rapport before moving the conversation to email. Then, they would share the resume website which filters visitors based on their operating system and other parameters. For example, people coming through VPN or cloud connections, as well as those running macOS or Linux, are served benign content.

Those that are deemed a good fit are first served a fake CAPTCHA, after which they are offered a .ZIP archive for download. This archive, in what the recruiters believe is the resume, actually drops a disguised Windows shortcut file (LNK) that runs a script which downloads the "More Eggs" backdoor.

More Eggs is a modular backdoor that can execute commands, steal login credentials, deliver additional payloads, and execute PowerShell in a simple yet effective attack relying on social engineering and advanced evasion.

AWS has since came forward to thank the security community for the findings, and to stress that campaigns like this one violate its terms of service and are frequently removed from the platform.

“AWS has clear terms that require our customers to use our services in compliance with applicable laws," an AWS spokesperson said.

"When we receive reports of potential violations of our terms, we act quickly to review and take steps to disable prohibited content. We value collaboration with the security research community and encourage researchers to report suspected abuse to AWS Trust & Safety through our dedicated abuse reporting process."

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.