- Dominoles Spot Hackers develop fake job -seeking personalities
- They target recruits and HR managers with more egg backdoor
- Backdoor credentials can steal and process commands
Experts have warned that hackers are now pretending to be employed, targeting recruits and organizations with dangerous backdoor malware.
Researchers at CyberScureti Domentols recently saw a dangerous actor known as Fin6, using this method in the wild, noting that hackers would first produce fake personalities on LinkedIn, and make fake resumes for walking as well.
The domains of the website are bought by Goody, and hosted on Amazon Web Services (AWS), to avoid flagging or quickly down.
You can like
More eggs
After that, hackers would reach LinkedIn, HR managers, and business owners, had a fellowship before moving the conversation to email. After that, they will share the resume website that filters visitors based on their operating system and other parameters. For example, people who come through VPN or cloud connection are offered benign material as well as micos or Linux running.
People who are considered to be good fit are first offered a fake captcha, after which they for download. Zip archive is offered. This reserved documents, which recruiters believe it is resumed, actually leaves a disguised Windows shortcut file (LNK) that operates a script that downloads the “more eggs” backdoor.
More eggs are a modular backdoor that can implement commands in a simple but efficient attack, relying on social engineering and advanced theft, stealing login credentials, and putting the power shell into practice.
After that the AWS security community has come forward to thank the results, and to emphasize that such campaigns have violated its service terms and is removed from the platform frequently.
“AWS has clear conditions for which our users need to use our services in compliance with applicable rules,” said a spokeswoman for the AWS.
“When we receive reports of potential violations of our terms, we work fast to review and take steps to disable the prohibited content. We value cooperation with the security research community and encourage researchers to report to our dedicated abuse and report.
By Blipling computer
