Cybersecurity researchers have uncovered a sophisticated campaign by the FIN6 hacking group, also known as Skeleton Spider, targeting recruiters with the More_eggs malware. The group is leveraging fake resumes hosted on Amazon Web Services (AWS) and professional networking sites like LinkedIn to deliver their malicious payload, highlighting an evolving threat landscape.

FIN6's Deceptive Tactics Unveiled

FIN6, a financially motivated threat actor, has shifted its focus from traditional point-of-sale breaches to more elaborate social engineering campaigns. Their latest method involves impersonating job seekers to infiltrate organizations through their HR departments.

How the Attack Unfolds

• Initial Contact: FIN6 initiates conversations with recruiters on platforms such as LinkedIn and Indeed, building rapport as legitimate job applicants.

• Phishing Delivery: They then send professionally crafted emails containing non-clickable URLs that lead to their "resume sites." This tactic forces recipients to manually type the URL, bypassing automated email security filters.

• AWS Hosting: The malicious domains, often mimicking personal names (e.g., bobbyweisman[.]com, emersonkelly[.]com), are anonymously registered and hosted on trusted AWS infrastructure, lending an air of legitimacy.

• Evasion Techniques: The sites employ sophisticated traffic filtering, including IP and geolocation checks, operating system and browser fingerprinting, and CAPTCHA verifications. This ensures that only genuine targets (typically using residential IP addresses and Windows-based browsers) receive the malicious content, while VPNs, cloud infrastructure, or security scanners are served harmless plain-text versions.

• Malware Delivery: Qualified victims are prompted to download a ZIP archive, which, instead of a resume, contains a disguised Windows shortcut (.LNK) file. This file executes a script to download and deploy the More_eggs backdoor.

The More_eggs Malware

More_eggs is a JavaScript-based backdoor developed by the Venom Spider group (also known as Golden Chickens). It is offered as malware-as-a-service and is highly modular, capable of:

• Credential theft

• System access

• Command execution

• Delivery of additional payloads

• PowerShell execution

FIN6 has been utilizing More_eggs since at least 2018, previously employing it in Magecart attacks to skim payment card data from e-commerce sites.

Key Takeaways for Recruiters and Organizations

• Be extremely cautious of unsolicited resume links, especially those requiring manual URL entry.

• Avoid downloading ZIP files from unknown senders unless verified by IT.

• Be wary of CAPTCHA-protected resume sites, as this is a known evasion tactic.

• Implement robust security measures, including email filtering, endpoint detection and response (EDR), and user awareness training.

• Organizations should consider blocking the execution of .LNK files from untrusted sources and monitor for suspicious outbound traffic.

AWS has stated that they have clear terms of service requiring customers to comply with applicable laws and that they act quickly to disable prohibited content when reported.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• FIN6 attackers target recruiters with fraudulent resumes, IT Pro.

• FIN6 Uses AWS-Hosted Fake Resumes on LinkedIn to Deliver More_eggs Malware, The Hacker News.

• FIN6 hackers pose as job seekers to backdoor recruiters’ devices, BleepingComputer.

• FIN6 Distributes Malware via Campaigns Leveraging Trusted Services, TechNadu.

• Recruiters targeted: opening a CV deploys ransomware​, Cybernews.