Full Report
The financially motivated threat actor known as FIN6 has been observed leveraging fake resumes hosted on Amazon Web Services (AWS) infrastructure to deliver a malware family called More_eggs. "By posing as job seekers and initiating conversations through platforms like LinkedIn and Indeed, the group builds rapport with recruiters before delivering phishing messages that lead to malware," the
Analysis Summary
# Threat Actor: FIN6
## Attribution & Identity
- **Actor Identification:** Financially motivated threat actor known as FIN6.
- **Aliases:** Camouflage Tempest, Gold Franklin, ITG08, Skeleton Spider, TA4557.
- **Associated Groups/Customers:** FIN6 is a known customer utilizing the More\_eggs malware, which is developed by the Golden Chickens group (aka Venom Spider).
## Activity Summary
FIN6 has been observed using social engineering tactics centered around job applications to compromise targets. They pose as job seekers on professional platforms like LinkedIn and Indeed, initiate contact with recruiters, and then deliver phishing messages that lead to malware execution. This latest campaign involves hosting fake resumes on Amazon Web Services (AWS) infrastructure. Historically, the group focused on stealing payment card details from Point-of-Sale (PoS) systems in the retail and hospitality sectors, and has also used Magecart JavaScript skimmers against e-commerce sites. The group has been operational since 2012.
## Tactics, Techniques & Procedures
- **Initial Access:** Social engineering via professional platforms (LinkedIn, Indeed) where actors pose as job seekers.
- **Delivery:** Hosting malicious resume files on compromised or newly created domains (e.g., bobbyweisman[.]com, ryanberardi[.]com) linked from phishing messages.
- **Infrastructure Use:** Utilizing trusted cloud services, specifically AWS Elastic Compute Cloud (EC2), for hosting intermediary attack infrastructure.
- **Malware Deployment:** Using More\_eggs JavaScript-based backdoor as a first-stage payload (observed as early as 2018).
- **Persistence/Impact:** More\_eggs enables credential theft, system access, and follow-on attacks, including ransomware deployment.
- **E-commerce Skimming:** History of injecting malicious JavaScript skimmers (Magecart) into checkout pages for financial harvesting.
- **Obfuscation:** Registering domains anonymously through GoDaddy's domain privacy services to shield registrant details. (No specific MITRE ATT&CK IDs were provided in the text.)
## Targeting
- **Sectors:** Historically targeted Point-of-Sale (PoS) systems in the **hospitality** and **retail** sectors. Also targeted **e-commerce merchants**.
- **Geography:** Not explicitly mentioned for the current campaign, but historical targeting implies regions with these business sectors.
- **Victims:** E-commerce merchants (historical focus on payment card data theft). Recruiters/HR personnel on job platforms are the immediate targets for the current social engineering phase.
## Tools & Infrastructure
- **Malware Families Used:** More\_eggs (JavaScript-based backdoor).
- **Infrastructure:**
- **Hosting Platform:** AWS Elastic Compute Cloud (EC2).
- **Dropper/Delivery Domains (Defanged Examples):** bobbyweisman[.]com, ryanberardi[.]com.
- **Registrar Abuse:** GoDaddy domain privacy services used for anonymity.
## Implications
FIN6 remains a persistent, financially motivated threat actor adapting its delivery mechanisms. The use of trusted cloud services (AWS) as hosting infrastructure complicates detection and takedown efforts, as the hosting environment appears legitimate until further analyzed. Targeting recruiters via job-seeking campaigns expands their initial access vector beyond traditional email phishing to include professional networking platforms. Successful infection leads directly to financial theft via payment card harvesting.
## Mitigations
- Exercise increased caution when downloading files or following links sent by job seekers or unknown contacts on platforms like LinkedIn or Indeed, even if they appear professional.
- Be highly suspicious of links leading to personal portfolio or resume sites related to job applications.
- Organizations should vet the infrastructure hosting external documents, especially those residing on commonly abused cloud storage or compute services.
- If More\_eggs is detected, assume credential theft and potential ransomware risk.