Threat Group TA4557 Exploits Recruiters for Malware Delivery

A new predator emerges, its modus operandi is as cunning as it is insidious. Dubbed TA4557, this group has orchestrated an elaborate scheme, exploiting the unsuspecting world of job recruitment. Their latest stratagem, refined since October 2023, involves sending benign-seeming emails to recruiters, expressing interest in open roles. This seemingly innocuous first contact is but the tip of the iceberg in TA4557’s intricate web of deception.

Previously, throughout 2022 and 2023, the threat group TA4557’s approach was somewhat more direct yet equally cunning. They would apply to job listings, embedding malicious URLs or files within their applications. These URLs, meticulously crafted to bypass automatic detection, required manual entry by the recipient, luring them into a false sense of security.

The evolution of TA4557’s tactics is marked by their shift to directly emailing recruiters. Once an unwitting recipient responds, the real attack unfolds. The actor then responds with a link to a counterfeit resume website or sends an attachment with similar instructions. This method is not just about delivering malware; it’s a psychological ploy, a game of trust and deception.

In early November 2023, Proofpoint observed a notable change in TA4557’s tactics. They began directing recipients to a domain name embedded in the email address, a further attempt to outwit automated detection systems. The recipient, following these breadcrumbs, would find themselves on a page masquerading as a candidate’s resume or job site. This website is the stage for TA4557’s next act in their malicious performance.

The site performs a filtering process. If the visitor does not pass these checks, they are presented with a benign resume. However, those who pass find themselves facing a CAPTCHA, a gateway to initiating the download of a malicious zip file. This file, when executed, uses ‘Living Off The Land’ techniques, abusing legitimate software functions to download and execute a scriptlet, leading to further compromise of the victim’s system.

The scriptlet then decrypts and drops a DLL into the system, which employs sophisticated anti-sandbox and anti-analysis techniques. It retrieves the RC4 key necessary to deploy the ‘More_Eggs’ backdoor, a tool for establishing persistence, profiling the machine, and delivering additional payloads.

TA4557, tracked by Proofpoint since 2018, stands out for its unique tools, sophisticated evasion measures, and distinct attack chains. Its activities have shown overlaps with cybercrime groups like FIN6, Cobalt Group, and Evilnum, yet it maintains a distinct operational footprint.

The implications of TA4557’s actions are profound. They demonstrate sophisticated social engineering, tailoring their lures to specific, legitimate job opportunities. Their technique of using benign initial messages to build trust makes their subsequent attacks more effective. Regular changes in sender emails, fake resume domains, and infrastructure make detection and defense a significant challenge.

Organizations, particularly those utilizing third-party job posting websites, must be vigilant. Awareness of TA4557’s tactics, techniques, and procedures is crucial, especially for those in recruiting and hiring functions.