Skip to content

TA4557 targets recruiters directly to deploy malware

  • by
  • 3 min read

Concerning development, researchers have discovered that the threat actor TA4557 has changed its tactics. Traditionally known for posing as job applicants on public job boards, the group has now diversified its approach, targeting recruiters directly with benign emails that deliver malware.

In their recent report, cybersecurity experts from Proofpoint exposed the group’s evolving tactics. In their previous modus operandi throughout 2022 and until late 2023, TA4557 would masquerade as job applicants by applying to the existing vacancies. The hackers would include malicious URLs or files containing such URLs in their applications.

However, as experts discovered, a distinctive feature was that these URLs were not hyperlinked. This means copying and pasting these malicious URLs into the browser.

Since October 2023, the group has continued with this technique but has also introduced a new method of emailing recruiters directly. The attack chain is set in motion once the recruiter responds by expressing interest.

A sample malicious email by TA4557. | Source: Proofpoint

Researchers found a notable twist in the group’s recent campaigns. They found that since November 2023, TA4557 directed recipients to “refer to the domain name of my email address to access my portfolio” message instead of sending a direct URL. This subtle alteration is seen as an attempt to bypass some companies’ automatic detection of malicious links.

If the victim navigates to the domain name, the page shows a candidate’s resume or a job site, determining the next steps in filtering checks. Those who fail the checks are shown a plain text resume, while those who pass are directed to the malicious website resembling the candidate’s real website.

A fake candidate’s website operated by TA4557. | Source: Proofpoint

This website employs a CAPTCHA, which the victim will complete. Upon completion, a zip file containing a shortcut LNK file is downloaded. The LNK file, when executed, downloads and further executes a scriptlet. This technique is known as Living Off The Land (LOTL).

Subsequently, the scriptlet drops a DLL in the  %APPDATA%\Microsoft folder, attempting to create a new regsrv32 process. Meanwhile, the scriptlet is designed to employ anti-sandbox and anti-analysis methods.

The DLL then installs the More_Eggs backdoor, establishing persistence, profiling the system and allowing more malware to be deployed.

TA4557 differs from other threat groups as it employs sophisticated social engineering, tailors lure to specific jobs and adopts evasive measures to avoid detection.

“Proofpoint has seen an increase in threat actors using benign messages to build trust and engage with a target before sending the malicious content, and TA4557 adopting this technique may convince recipients to be more trusting of the interaction and subsequent content shared with them. Additionally, the group is regularly changing their sender emails, fake resume domains, and infrastructure,” said Proofpoint researchers. “This is done alongside building rapport with the target before sending a payload and poses a problem for defenders and automated security tools as it can be difficult to detect the content as malicious.”

In the News: Critical flaw in Backup Migration plugin exposes over 90K websites

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>