One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8421435 |
| Date de publication | 2023-12-12 05:00:00 (vue: 2023-12-12 10:07:42) |
| Titre | Mémoire de sécurité: TA4557 cible les recruteurs directement par e-mail Security Brief: TA4557 Targets Recruiters Directly via Email |
| Texte | What happened Since at least October 2023, TA4557 began using a new technique of targeting recruiters with direct emails that ultimately lead to malware delivery. The initial emails are benign and express interest in an open role. If the target replies, the attack chain commences. Previously, throughout most of 2022 and 2023, TA4557 typically applied to existing open job listings purporting to be a job applicant. The actor included malicious URLs, or files containing malicious URLs, in the application. Notably, the URLs were not hyperlinked and the user would have to copy and paste the URL text to visit the website. The legitimate job hosting sites would then generate and send email notifications to the prospective employers who posted the positions. In recently observed campaigns, TA4557 used both the new method of emailing recruiters directly as well as the older technique of applying to jobs posted on public job boards to commence the attack chain. Specifically in the attack chain that uses the new direct email technique, once the recipient replies to the initial email, the actor was observed responding with a URL linking to an actor-controlled website posing as a candidate resume. Alternatively, the actor was observed replying with a PDF or Word attachment containing instructions to visit the fake resume website. Example initial outreach email by TA4557 to inquire about a job posting. Example follow up email containing a URL linking to a fake resume website. Very notably, in campaigns observed in early November 2023, Proofpoint observed TA4557 direct the recipient to “refer to the domain name of my email address to access my portfolio” in the initial email instead of sending the resume website URL directly in a follow up response. This is likely a further attempt to evade automated detection of suspicious domains. Email purporting to be from a candidate directing the recipient to visit the domain in an email address. If the potential victims visit the “personal website” as directed by the threat actor, the page mimics a candidate\'s resume or job site for the candidate (TA4557) applying for a posted role. The website uses filtering to determine whether to direct the user to the next stage of the attack chain. Example of a fake candidate website operated by TA4557 that leads to download of a zip attachment. If the potential victim does not pass the filtering checks, they are directed to a page containing a resume in plain text. Alternatively, if they pass the filtering checks, they are directed to the candidate website. The candidate website uses a CAPTCHA which, if completed, will initiate the download of a zip file containing a shortcut file (LNK). The LNK, if executed, abuses legitimate software functions in "ie4uinit.exe" to download and execute a scriptlet from a location stored in the "ie4uinit.inf" file. This technique is commonly referred to as "Living Off The Land" (LOTL). The scriptlet decrypts and drops a DLL in the %APPDATA%\Microsoft folder. Next, it attempts to create a new regsrv32 process to execute the DLL using Windows Management Instrumentation (WMI) and, if that fails, tries an alternative approach using the ActiveX Object Run method. The DLL employs anti-sandbox and anti-analysis techniques. It incorporates a loop specifically designed to retrieve the RC4 key necessary for deciphering the More_Eggs backdoor. This loop is strategically crafted to extend its execution time, enhancing its evasion capabilities within a sandbox environment. Furthermore, the DLL employs multiple checks to determine if it is currently being debugged, utilizing the NtQueryInformationProcess function. The DLL drops the More_Eggs backdoor along with the MSXSL executable. Subsequently, it initiates the creation of the MSXSL process using the WMI service. Once completed, the DLL deletes itself. More_Eggs can be used to establish persistence, profile the machine, and drop additional payloads. Attribution Proofpoint has been tracking TA4557 since 2018 as a |
| Envoyé | Oui |
| Condensat | 010b72def59f45662150e08bb80227fe8df07681dcf1a8d6de8b068ee11e0076 2018 2022 2023 2850476 2852061 6ea619f5c33c6852d6ed11c52b52589b16ed222046d7f847ea09812c4d51916d 9d9b38dffe43b038ce41f0c48def56e92dba3a693e3b572dbd13d5fbc9abc1e4 about abuses access activex activity activity actor actors additional additionally address adopting along alongside also alternative alternatively analysis annetterawlings anti appdata applicant application applied applying approach are associated attachment attack attempt attempts attributed attribution automated aware backdoor because been before began being benign boards both brief: build building campaign campaigns can candidate capabilities capable captcha chain chains changing checks clusters cnc cobalt commence commences commonly completed compromise com containing content controlled convince copy crafted create creation currently cybercrime data debugged deciphering decrypts defenders deletes delivery demonstrates description designed detect detection determine different difficult direct directed directing directly distinct distribute dll does domain domains domain done download drop drops due early educate eggs email emailing emails emerging employed employees employers employs endpoint engage engineering enhancing environment especially establish etpro evade evasion evasive evilnum example exe executable execute executed execution existing express extend external fails fake file files filtering fin6 financially folder follow from function functions further furthermore generate group groups happened has have hiring historically hosting hyperlinked ie4uinit immediately included incorporates increase indicators indicator inf infrastructure initial initiate initiates inquire instead instructions instrumentation interaction interest involved its itself job jobs key known land landing lead leads least legitimate likely linking listings living lnk location loop lotl lures machine malicious malware management matters may measures messages method microsoft mimics more most motivated msxsl multiple name necessary new next not notably notifications november ntqueryinformationprocess object observed october off often older once online open operated opportunities organizations other outreach overlapped page parties party pass paste payload payloads pdf people persistence plain portfolio” poses posing positions possible posted posting potential prevent previously priority problem procedures process profile profiling proofpoint prospective public purporting rapport rc4 recently recipient recipients recruiters recruiting referred regsrv32 regularly replies replying reporting responding response resume resume/profile retrieve role run sandbox scriptlet security seem seen send sender sending service sha256 sha256 shared shortcut should signatures since site sites site skilled social software sophisticated specific specifically stage stored strategically subsequent subsequently suggest suite suspicious ta4557 tactics tailors target targeting targets technique techniques text them themed then these third those threat threats throughout time tone tool tools tracked tracking tracks tries trust trusting ttps typically ultimately unique url urls usage use used user uses using utilizing very victim victims visit website websites website” well what whether which who why will windows within wlynch wmi word would zip “personal “refer |
| Tags | Malware Tool Threat |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.