The prevailing political and economic atmosphere often determines the behavior of hackers. Look at today’s job market. Currently, employers are having a difficult time finding workers. Under such conditions, they may be more willing to overlook weak candidates or poorly designed resumes to get people to fill a necessary position. Potential employees may be pickier about jobs and only apply for those which offer the best packages.
In February, it was found that the North Korean hacking group known as Lazarus was pretending to be Lockheed Martin. The hackers contacted potential employees with a spearphishing email that was engineered to bypass spam filters. The attachment also avoided detection by using certain techniques (LOLBins). In addition, the attachment was given a reasonable name such as Lockheed_Martin_JobOpportunities.docx or Salary_Lockheed_Martin_job_opportunities_confidential.doc. When opened, the attachment would look like like this; thereby hiding its evil payload.
Hackers will often use legitimate job boards to find victims. Sometimes they will post jobs on these boards. The posts will lead to websites that look legitimate. These sites enable the hackers to get the email addresses of interested future employees. Later they may send these potential victims an email with something similar to the above attachment. Interviews may also take place to make the process look valid. The goal of this well-organized attack is to get the victim to give them as much personal information as possible. This could include credit card and banking information. Once the attackers gain the victim’s trust and make them a lucrative offer, getting such information should be relatively easy.
According to the Better Business Bureau (BBB), the interview portion of this scam has been updated. Most job seekers expect an interview as part of a hiring process. This interview procedure is a bit different, however. The ‘company rep’ will have the victim download some messaging app like Telegram. Oddly, the interview will not be done via video but through text messaging. The questions will seem valid enough and, after the candidate answers them, the victim will be enthusiastically welcomed into the company. Now, it’s simply a matter of signing a contract, which will be the first step for the criminals to get personal information.
Once the victim is considered an employee, they will be asked to give even more personal information so the company can enter it into their database. This often includes banking information. The BBB also claims that other scams may be thrown in. You may, as the victim, be sent a check to help you set up a home office. After you deposit the check, the company will send you a message saying that they accidentally overpaid you and could you please send back the overpaid amount? Of course, the check is fake but takes time for the bank to process. If you send the money back quickly, as they will undoubtedly stress, the check will later be cancelled by the bank but your money will be gone. Other scams tell the potential candidate to travel to a hotel for an interview. They need to make reservations and pay in advance. They will be told that the company will reimburse them for all expenses. The victim is then led to a fake travel agency site that has been established to get the victim’s money.
In the past, LinkedIn was used by hackers to identify potential victims. They would look at the current job title of someone looking for a job and use that title in the name of the attachment they’d put in an email. For example, if the person was currently working as a marketing consultant, that title would be used in an attachment named, Marketing Consultant Position. The technique proved highly successful. But, recently, the tables have been turned. Now, fake job seekers are trying to attack major companies using weaponized resumes. It’s now the recruiters being targeted through malware embedded in resumes.
This recent campaign, named the more_eggs campaign by eSentire, was orchestrated by a group called ‘Golden Chicken’ which is connected to the infamous FIN6 financial hacking group. Here is a recent timeline of their activity from QuoIntelligence.
This does not seem to be the normal random attack campaign which will target whatever company or individual it can get some cash from. This seems to be an organized spearphishing campaign that is targeting certain companies.; companies that were recruiting on LinkedIn, Reccruit, and Indeed. The resumes attached to the emails sent for the job opening reflected the name of the position they were applying for. Since the resumes were targeted to the position being advertised, they had a higher chance of being opened. Once opened, the malware was released. Interestingly, the recipient opening the attachment received a decoy resume. Of course, while viewing it, their device and, possibly, the company network were being compromised.
Although FIN6 has been associated with financial hacking in the past, its ties to Russia makes one suspect that money may not be the only motivation behind these recent attacks. This suspicion is justified by the fact that eSentire noted that the attacks occurred on “a U.S.-based aerospace/defense company that designs, develops and provides maintenance repair for airline components; a large UK-based CPA firm; an international business law firm based out of Canada; and a national Canadian staffing agency.” Of course, two things can be true at the same time. They may take interesting files and then encrypt them to make some money by holding them for ransom. Copies of the files can always be sent on or sold to those who want them for their informational content. Since these companies have international connections, the scope of information that could be accessed through supply chain attacks is extensive. The malware released from the resumes contains the ability to move throughout a network from one initially infected endpoint. For this, Team Viewer was used. This, again, highlights the importance of protecting all endpoints connected to a network.
The upgrades that have been frequently made to this attack lead me to believe that it is at the testing stage. Once the criminals are satisfied that they have an attack strategy that is meeting with a reasonable level of success, they will probably deploy it against selected targets. These will be targets that can both be mined for information and make the group some money. Attacking the right companies or government organizations could assist Russia with their war efforts. Money can be made from a ransomware demand or banking Trojan. If the situation presents itself, they could even target vital infrastructure components.
In short, HR departments need to be especially cautious during the next few months. Job applicants should be wary of any hiring process that seems abnormal, no matter what amount of money they may be offered. In any event, beware of giving out too much personal information unless you are absolutely certain who is going to be seeing it because this is no longer the job market you used to know.