Related Posts
- Advertisement -
- Domaintools sees hackers who make fake -seeking personas
- They focus on recruiters and HR managers with the more eggs back door
- The back door can steal references and perform commands
Hackers now present themselves as job seekers, focus on recruiters and organizations with a dangerous back door malwarehave warned experts.
CyberSecurity -researchers Domaintools recently saw a threat actor who is familiar with this method in the wild, and noted that the hackers would first make fake personas on LinkedIn and make fake -CV websites to come along.
The website -domains are purchased anonymously through Godaddy and are hosted on Amazon Webservices (AWS), to prevent you from being marked or deleted quickly.
More eggs
The hackers would then contact Recruiters, HR managers and business owners on LinkedIn, built up a report before they move the conversation to E -mail. Then they would share the CV website that filters visitors based on them operating system And other parameters. For example, people come through VPN or cloud connections, as well as people with macOS or Linux, benign content are served.
Those who are considered good as good are served for the first time a fake captcha, after which they get a .zip archive for download. This archive, in what the recruiters believe that the CV is, actually drops a disguised Windows speed (LNK) that performs a script that downloads the “more eggs” back door.
More eggs is a modular back door that can carry out commands, can steal login data, deliver extra payloads and perform Powershell in a simple but effective attack that depends on social engineering and advanced evasion.
AWS has since emerged to thank the security community for the findings, and to emphasize that campaigns such as these are violating the service conditions and are often removed from the platform.
“AWS has clear conditions that require our customers to use our services in accordance with the applicable laws,” said a spokesperson for AWS.
“When we receive reports of possible violations of our conditions, we act quickly to revise and take steps to eliminate forbidden content. We appreciate cooperation with the security research community and encourage researchers to probably report abuse to AWS Trust & Safety through our reporting process for abuse.”
Maybe you like it too
- Advertisement -
