Russian cyber gang mimics job candidates to steal data


A suspected Russian threat actor is mimicking job applicants via email to siphon off valuable data from prospective employers, Proofpoint cybersecurity firm has learned.

The new strategy from the group, tagged by the analyst as TA4557, marks a departure from the previously observed tactic of uploading fake applications on job posting bulletin boards.

ADVERTISEMENT

“In recently observed campaigns, TA4557 used both the new method of emailing recruiters directly as well as the older technique of applying to jobs posted on public job boards to commence the attack chain,” said Proofpoint, which has tracked the group as far back as 2018.

Businesses and other organizations who fall for the trick end up exposing their computer systems to malware that tracks their machines and can pave the way for further exploits to steal valuable data.

The recent activity observed by Proofpoint would appear to be the latest in a sustained campaign by the Russian-affiliated group that targets employers. In 2021, Proofpoint posted a similar notice of warning about TA4557’s activities after the FBI issued a warning that threat actors were using the online job market as an attack vector.

Personal touch

The new version of the attack seems to apply a more personal touch, with cover-letter emails and applicant profiles diligently mimicked to lure unwary employers into activating malware that steals data and keeps tabs on their machines.

“In the attack chain that uses the new direct email technique, once the recipient replies to the initial email, the actor was observed responding with a URL linking to an actor-controlled website posing as a candidate resume,” said Proofpoint.

An alternative method used by TA4557 spotted by Proofpoint was to reply with another email containing a PDF or Word attachment with instructions directing the target to visit a fake resume website.

Campaigns observed by Proofpoint last month entailed directing the intended victim to “refer to the domain name of my email address to access my portfolio” in the initial email instead of sending the resume website URL directly in a follow-up response.

ADVERTISEMENT

It believes the email-based strategy, tailored to genuine job vacancies advertised online, is intended to build up more of a rapport between the fraudsters and their intended targets so as to con them more convincingly.

“The tone and content of the emails suggest to the recipient the actor is a legitimate candidate, and because the actor specifically targets people who are involved in recruiting and hiring, the emails do not immediately seem suspicious,” said Proofpoint.

To maintain agility and stay one step ahead of investigators, TA4557 regularly changes sender emails, fake resume domains, and other supporting infrastructure, it added.

Malicious code

In terms of the underlying mechanics, the cyberattack plays out over a series of maneuvers.

“The candidate website uses a CAPTCHA which, if completed, will initiate the download of a zip file containing a shortcut file (LNK),” said Proofpoint.

The LNK then “abuses legitimate software functions” to download and execute special code that installs a backdoor – a means of gaining illicit access to a target system – known as More_Eggs, which “can be used to establish persistence, profile the machine, and drop additional payloads.”

Its work done, the code deletes itself, further helping to cover the threat actor’s traces.

Proofpoint urges prospective employers to be more vigilant and instruct employees to exercise caution when recruiting further staff.

“Organizations that use third-party job posting websites should be aware of this actor’s tactics, techniques, and procedures and educate employees, especially those in recruiting and hiring functions, about this threat,” it said.

ADVERTISEMENT