- Domaintpoles identifies pirates creating false characters of employment researchers
- They target recruiters and human resources managers with the stolen door of more eggs
- The stolen door can steal identification information and execute orders
Pirates now claim to be job seekers, targeting recruiters and organizations with dangerous malware, experts warned.
Domaintools cybersecurity researchers recently spotted a threat actor known as the end6 using this method in nature, noting that pirates would first create false personalities on LinkedIn and create false CV websites.
The website areas are purchased anonymously via Godaddy and are hosted on Amazon Web Services (AWS), to avoid being reported or quickly removed.
More eggs
The pirates would then contact recruiters, HR managers and business owners on LinkedIn, creating a report before moving the conversation to email. Then, they would share the CV website which filters visitors according to their operating system and other parameters. For example, people coming from VPN or Cloud connections, as well as those that execute MacOS or Linux, are served as benign content.
Those who are considered a good adjustment first served a false Captcha, after which they are offered an .zip archive to download. This archive, in what recruiters believe the CV, actually leaves a disguised Windows shortcut file (NK) which performs a script that downloads the stolen “More eggs”.
More eggs are a modular stolen door which can execute orders, steal connection identification information, provide additional useful charges and execute PowerShell in a simple but effective attack based on social engineering and advanced escape.
AWS has since presented itself to thank the safety community for the conclusions and emphasize that campaigns like this violate its service conditions and are frequently withdrawn from the platform.
“AWS has clear conditions that force our customers to use our services in accordance with applicable laws,” said an AWS spokesperson.
“When we receive potential violation reports from our conditions, we act quickly to examine and take measures to deactivate the prohibited content. We appreciate collaboration with the safety community and encourages researchers to report suspicious abuse at AWS Trust & Safety thanks to our dedicated abuse declaration process.”
Via Bleeping Compompute
