Financially motivated actor threats known as Fin6 The use of counterfeit resumes located on Amazon Web Services (AWS) has been noted to deliver a malware called More_eggs.
“Imagination as a job seekers and initiate conversations through platforms such as LinkedIdin and indeed, the group creates a connection with the recruiters before delivering phishing messages that lead to malware,” – team Domaintools (DTI) – Note In a report that shared with Hacker News.
More_eggs – This is the work of another cybercrime group called Golden chickens (AKA Venom Spider), which has recently been attributed to new families of malware such as TerrasteAlerv2 and Terralogger. Based on JavaScript, it is capable of providing accounts for theft, access to the system and subsequent attacks, including redemption.
One of the famous customers malicious programs is Fin6 (he’s camouflage boo Initially oriented Sales (POS) systems in hospitality and retail sectors to steal the payment card details and profits from them. It has been operating since 2012.
In the hacking group there is also a history of use Magecart Javascript Skimmers target e -commerce sites to collect financial information.
According to the Visa payment card company, Fin6 has debt More_eggs as the first stage of useful load back in 2018 to penetrate several e -commerce traders and enter the malicious JavaScript code into the scythe’s final target.
“Data on stolen payment cards are later monetized by the group, sold to mediators or are sold openly in markets such as Jokerstash, before it stopped in early 2021,” “Secureworks notes The actor’s profile threats.
The last FIN6 activity involves the use of social engineering for initiate contact with recruits On professional job platforms, such as LinkedIn, and indeed, posing as a job seeker to distribute the link (eg Bobbyweisman (.) Com, Ryanbergardi (.) Com), which involves holding its resume.
Domaintools noted that fictitious domains, which masquerade as personal portfolios are anonymously registered through Godaddy for an additional layer of exacerbation, which complicates the attribution and attracts efforts.
“Using Godaddy’s privacy services in the domain, Fin6 also protects the valid registrar data from a public view and team,” the company said. “Although Godaddy is a reputable and widely used domain registrar, its built -in privacy features make it easy to hide its identity.”
Another characteristic aspect is the use of trusted cloud services such as AWS Elastic Compute Cloud (EC2) or S3, to place phishing sites. What’s more, the sites are shipped with built -in road filtration logic to make sure that only potential victims submit a link to download the alleged resume after completing the CAPTCHA check.
“Only users who are supposed to be on residential IP addresses and use common Windows browsers is allowed to download a malicious document,” Domaintools said. “When a visitor comes from the famous VPN service, cloud infrastructure is like AWS, or corporate security scanners, the site instead provides a harmless simple text version of the resume.”
The uploaded resume takes the form of the ZIP archive, which when opening causes a sequence of infection Expand the malicious software more_eggs.
“The Skeleton Spider Fin6 shows how effective phishing companies with low complexity can be when paired with cloud infrastructure and advanced evasion,” the researchers concluded. “Using realistic baits, bypassing the scanners and hiding malicious programs behind the walls of CAPTCHA, they remain ahead of many detection tools.”
