Full Report
In a twist on typical hiring-related social engineering attacks, the FIN6 hacking group impersonates job seekers to target recruiters, using convincing resumes and phishing sites to deliver malware. [...]
Analysis Summary
# Threat Actor: FIN6
## Attribution & Identity
The threat actor group is identified as **FIN6**.
## Activity Summary
FIN6 has been observed conducting targeted attacks by posing as **job seekers** to compromise devices belonging to **recruiters and human resources employees**. The actors use social engineering to lure victims into downloading malicious archives disguised as professional portfolios or resumes.
## Tactics, Techniques & Procedures
- **Social Engineering:** Posing as job seekers to initiate contact.
- **Delivery Mechanism:** Sending ZIP archives allegedly containing resumes, which actually contain disguised Windows shortcut files (`.LNK`) that execute scripts.
- **Payload Delivery:** The executed script downloads the "More Eggs" backdoor.
- **Evasion/Defense Checks:** Implementing environmental fingerprinting and behavioral checks to block access from non-target environments (e.g., VPN connections, cloud connections, Linux/macOS users).
- **Interaction:** Requiring a fake **CAPTCHA step** on the landing page before delivering the final malicious download to qualified targets.
- **Backdoor Capabilities (More Eggs):** Command execution, credential theft, delivery of additional payloads, and PowerShell execution.
- *MITRE ATT&CK IDs are not explicitly provided in the text.*
## Targeting
- **Sectors:** Human Resources (HR) and Recruiting professionals/agencies (implied by the social engineering vector).
- **Geography:** Not explicitly mentioned.
- **Victims:** Recruiters and human resources employees whose roles involve reviewing external resumes and portfolios.
## Tools & Infrastructure
- **Malware Families Used:**
- **More Eggs:** A modular backdoor created by "Venom Spider."
- **Infrastructure (C2, domains, IPs):**
- byweisman[.]com
- emersonkelly[.]com
- davidlesnick[.]com
- kimberlykamara[.]com
- annalanyi[.]com
- bobbybradley[.]net
- malenebutler[.]com
- lorinash[.]com
- alanpower[.]net
- edwarddhall[.]com
## Implications
FIN6 is employing sophisticated social engineering coupled with technical evasion techniques (environmental fingerprinting) to bypass standard security controls and target personnel who might have elevated access or valuable organizational information. The use of the modular "More Eggs" backdoor grants them persistent access and capability for further data exfiltration or espionage.
## Mitigations
- Recruiters and HR employees should exercise extreme caution when invited to review resumes or portfolios, especially if they require visiting an external site to download the material.
- Companies should independently confirm the identity of potential candidates by contacting their listed references or verifying employment history directly with the supposed former/current employers before engaging further.
- Implement strict policies regarding the execution of downloaded files (especially `.LNK` files delivered outside standard secure channels).