The Ongoing Saga of Job-Themed Attacks

By Daksh Kapur and Alfred Alvarado · January 23, 2024

In late 2023, Trellix Security Researchers identified an ongoing trend where cybercriminals exploit job-themed attack vectors to target both job seekers and employers. Near the start of 2023, we released a comprehensive research report on similar campaigns, which you can explore here.

Cyber attackers have been employing tactics to entice job seekers through deceptive job availability emails while simultaneously targeting employers with malicious emails disguised as job applications. In the midst of a persistently challenging job market characterized by widespread layoffs, opportunistic attackers are capitalizing on the situation to launch attacks.

The intent behind these attacks is multifaceted: deploying malware, stealing credentials, and extracting sensitive information. Moreover, cybercriminals may utilize generic contact details as part of a social engineering strategy, setting the stage for further scams.

Most Targeted Regions

Our researchers have observed a substantial portion of job-themed attacks, with Australia accounting for 41% of the total attacks, closely followed by the United States at 29%. This highlights a notable trend in job-themed attacks predominantly targeting these two countries.

Malicious emails

Trellix Email Security researchers have identified various iterations of emails employed in job-themed attacks. Additionally, attackers have been observed using password-protected attachments as a tactic to bypass detection mechanisms.

Malicious URLs

Our researchers have identified various malicious pages, including but not limited to credential phishing. These pages impersonate job applications, coercing victims to provide personal information like name, phone number, address, etc. Attackers are suspected of using this data to conduct financial scams, utilizing job opportunities as bait.

Malware

Trellix identified several malware families targeting job seekers and employers. The following are some of the malware families observed by our researchers:

Recent Player Taking The Field:

• Tracked as TA4577 (ProofPoint)
• TA4557 is a financially motivated threat group that was first identified in late 2023. Primarily targeting recruiters through sophisticated social engineering tactics. Initially focusing on responding to job listings on job boards, the threat actors later shifted to targeting recruiters directly. Setting their play in motion by sending benign-looking emails, expressing interest in an open position, once the recipient responded the next phase was activated.
• TA4557 is known for distributing the More_Eggs backdoor, a malware that establishes persistence, gathers intel from the respective environment, and awaits commands to deploy additional payloads. This highlights the strategic blend of direct human targeting, advanced malware deployment and the evolving nature of cyber threats from financially driven actors.
  • TA4557 Overview: A financially motivated group active since at least October 2023.
  • Target Audience: Specifically targets recruiters through direct email campaigns.
  • Initial Contact: Benign emails expressing interest in open positions to build trust.
  • Malware Distribution: Known for deploying More_Eggs backdoor.
  • Attack Chain: The attack chain starts when the recruiter responds to the initial email.
  • Tactics Shift 2022-2023: Initially replied to job listings on third-party boards, then shifted to directly targeting recruiters.
  • Method of Attack: Fake resume websites and email attachments that lead targets to download malicious files.
  • Key Strategy: Combine human targeting with malware deployment.

Other Malware:

• Agent Tesla – A .NET-based Remote Access Trojan (RAT) and data stealer for gaining initial access that is often used for Malware-as-a-Service (MaaS).
• Formbook - An info stealer malware used to steal several types of data from infected systems, including credentials cached in web browsers, screenshots, and keystrokes. It can also act as a downloader, enabling it to download and execute additional malicious files.
• TerraLoader - A backdoor malware, infiltrates systems via malicious files or downloads, enabling attacks like credential theft and file encryption. In another case mentioned in this article by itbrew.com, TerraLoader posed as job application resumes, showcasing its deceptive delivery tactics.
• Pikabot - A malware with advanced evasion techniques, anti-debugging inspired by Al-Khaser, and steganography for payload concealment. It operates on a proprietary C2 framework, supporting commands like host enumeration and secondary payload injection.
• More_Eggs Backdoor - developed in JavaScript, offers covert access to compromised hosts. Other capabilities include downloading additional payloads, evading detection by imitating legitimate software, and its modular architecture that is customizable to specific targets.

Indicators of Compromise (IOC)

Check out the list of indicators of compromise from the recent Job Themed campaigns observed by the Trellix Advanced Research Center: Job Themed Campaigns IOCs.

Trellix Product Protections

Trellix’s XDR solution offers thorough defense against threats like typo-squatting domains and malicious job application emails. Employing a multi-layered strategy, it examines URLs, emails, networks, and attachments to identify and block risks effectively. Trellix’s portfolio of products maintains vigilance through ongoing monitoring and an updated threat intelligence database to stay proactive against emerging and evolving threats.

The following is a subset of the Trellix Security detections that have been observed for the ongoing campaigns:

Conclusion

To conclude, our research highlights the ways cybercriminals take advantage of the current job market uncertainties to exploit both job seekers and employers. The key takeaway is the importance of maintaining vigilance. For employers and job seekers, implementing proactive security measures becomes essential in protecting against these targeted attacks. Stay informed, stay secure, and navigate the job market landscape with a proactive cybersecurity mindset.

Attributions

We would like to give proper credit and recognition to the various elements that have contributed to the content of this blog. The following list outlines the attributions for these elements:

IMAGES

• Image by redgreystock on Freepik

ICONS

• Image by redgreystock on Freepik

We sincerely appreciate the contributions of these elements to our blog and acknowledge the importance of giving credit where it's due. Should there be any concerns regarding attributions or if corrections are needed, please don't hesitate to contact us. Your understanding and support are greatly valued.