In early November 2023, Proofpoint observed TA4557 directing the recipient to “refer to the domain name of my email address to access my portfolio” in the initial email instead of sending the resume website URL directly in a follow-up response, according to the post. This was likely a further attempt to evade automated detection of suspicious domains.
The potential victim, upon visiting the “personal website” as directed by the threat actor, is presented with a page with a fake candidate resume, which filters the user upon visit and decides whether to send them to the next stage of the attack.
‘Living off the land’ to drop More_eggs backdoor
The users that pass the threat actor’s filtering checks are subsequently sent to the candidate website that employs a captcha, which upon completion, initiates downloading a zip file containing a shortcut file LNK. LNK abuses legitimate functions in “ie4uinit.exe,” a Microsoft utility program, to download and execute a scriptlet from a location in another “ie4uinit.inf” file in the zip.
“This technique is commonly referred to as ‘Living Off The Land’ (LOTL),” Proofpoint said. “The scriptlet decrypts and drops a DLL in the %APPDATA%Microsoft folder. The DLL employs anti-sandbox and anti-analysis techniques for evasion and drops the More_Eggs backdoor.”
Proofpoint noted in the blog post that it has seen an increase in threat actors using benign messages to build trust and engage with a target before sending the malicious content, and TA4557 adopting this technique calls for organizations using third-party job posting to watch out for this actor’s tactics, techniques, and procedures (TTPs).