New malware is using direct emails to hunt the head-hunters

In early November 2023, Proofpoint observed TA4557 directing the recipient to “refer to the domain name of my email address to access my portfolio” in the initial email instead of sending the resume website URL directly in a follow-up response, according to the post. This was likely a further attempt to evade automated detection of suspicious domains.

The potential victim, upon visiting the “personal website” as directed by the threat actor, is presented with a page with a fake candidate resume, which filters the user upon visit and decides whether to send them to the next stage of the attack.

‘Living off the land’ to drop More_eggs backdoor

The users that pass the threat actor’s filtering checks are subsequently sent to the candidate website that employs a captcha, which upon completion, initiates downloading a zip file containing a shortcut file LNK. LNK abuses legitimate functions in “ie4uinit.exe,” a Microsoft utility program, to download and execute a scriptlet from a location in another “ie4uinit.inf” file in the zip.

“This technique is commonly referred to as ‘Living Off The Land’ (LOTL),” Proofpoint said. “The scriptlet decrypts and drops a DLL in the %APPDATA%Microsoft folder. The DLL employs anti-sandbox and anti-analysis techniques for evasion and drops the More_Eggs backdoor.”

More_eggs is a Javascript backdoor used to establish persistence, profile the machine, and drop additional payloads. TA4557 has been tracked since 2018 as a skilled, financially motivated threat actor using the More_Eggs backdoor capable of profiling the endpoint and sending additional payloads.

Proofpoint noted in the blog post that it has seen an increase in threat actors using benign messages to build trust and engage with a target before sending the malicious content, and TA4557 adopting this technique calls for organizations using third-party job posting to watch out for this actor’s tactics, techniques, and procedures (TTPs).