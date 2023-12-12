TA4557, a threat actor tracked since 2018 to be sending job-themed email threats, has started a new technique of targeting recruiters with direct emails that ultimately lead to malware delivery, according to Proofpoint.\n\nThe threat actor known for using More_eggs downloader as the malware dropper has previously only resorted to applying to jobs posted on public job boards or LinkedIn postings, and inserting malicious URLs in the application.\n\nSince October 2023, however, TA4557 has been observed to be directly mailing employers seeking candidates for various job roles.\n\n\u201cIn recently observed campaigns, TA4557 used both the new method of emailing recruiters directly as well as the older technique of applying to jobs posted on public job boards to commence the attack chain,\u201d Proofpoint said in a blog post.\n\nDirect emails with malicious URLs\n\nWithin the new email technique, the attacker first sends the recruiter an outreach email to enquire about a job posting. Once the recipient replies to the initial email, the actor responds with a URL linking to a TA4557-controlled website posing as the candidate\u2019s resume.\n\n\u201cAlternatively, the actor was observed replying with a PDF or Word attachment containing instructions to visit the fake resume website,\u201d Proofpoint added in the post.\n\nIn early November 2023, Proofpoint observed TA4557 directing the recipient to \u201crefer to the domain name of my email address to access my portfolio\u201d in the initial email instead of sending the resume website URL directly in a follow-up response, according to the post. This was likely a further attempt to evade automated detection of suspicious domains.\n\nThe potential victim, upon visiting the \u201cpersonal website\u201d as directed by the threat actor, is presented with a page with a fake candidate resume, which filters the user upon visit and decides whether to send them to the next stage of the attack.\n\n\u2018Living off the land\u2019 to drop More_eggs backdoor\n\nThe users that pass the threat actor\u2019s filtering checks are subsequently sent to the candidate website that employs a captcha, which upon completion, initiates downloading a zip file containing a shortcut file LNK. LNK abuses legitimate functions in \u201cie4uinit.exe,\u201d a Microsoft utility program, to download and execute a scriptlet from a location in another \u201cie4uinit.inf\u201d file in the zip.\n\n\u201cThis technique is commonly referred to as \u2018Living Off The Land\u2019 (LOTL),\u201d Proofpoint said. \u201cThe scriptlet decrypts and drops a DLL in the %APPDATA%\\Microsoft folder. The DLL employs anti-sandbox and anti-analysis techniques for evasion and drops the More_Eggs backdoor.\u201d\n\nMore_eggs is a Javascript backdoor used to establish persistence, profile the machine, and drop additional payloads. TA4557 has been tracked since 2018 as a skilled, financially motivated threat actor using the More_Eggs backdoor capable of profiling the endpoint and sending additional payloads. \n\nProofpoint noted in the blog post that it has seen an increase in threat actors using benign messages to build trust and engage with a target before sending the malicious content, and TA4557 adopting this technique calls for organizations using third-party job posting to watch out for this actor\u2019s tactics, techniques, and procedures (TTPs).\u00a0