- Domaineols spots hackers creating characters from false employment search engines
- They go to recruiters and human resources managers with the back door plus eggs
- The rear door can steal credentials and execute commands
Computer pirates now intend to be an employment applicants, pointing to recruiters and organizations with dangerous rear malware, experts have warned.
Cybersecurity researchers Doma -Man Vid recently saw a threat actor known as the end using this method in nature, pointing out that computer pirates would first create false characters on LinkedIn and create false curriculum websites to continue.
The website’s domains are bought anonymously through Godaddy, and are housed at Amazon Web Services (AWS), to avoid being marked or eliminated quickly.
More eggs
Then, the computer pirates would communicate with recruiters, human resources managers and business owners in LinkedIn, building a relationship before moving the conversation to the email. Then, they would share the curriculum website that filters visitors based on their operating system and other parameters. For example, people who come through VPN or cloud connections, as well as those executed by macos or linux, receive benign content.
Those who are considered well are served for the first time, a false captcha, after which they are offered a .zip file to download. This file, in what the recruiters believe that it is the curriculum, actually drops a direct access file of Windows (LNK) disguised that executes a script that downloads the back door “more eggs”.
More eggs is a modular back door that can execute commands, steal login credentials, offer additional useful loads and run Powershell in a simple but effective attack that depends on social engineering and advanced evasion.
Since then, AWS has advanced to thank the security community for the findings and to emphasize that campaigns such as violating their terms of service and frequently eliminated from the platform.
“AWS has clear terms that require our customers to use our services in accordance with applicable laws,” said an AWS spokesman.
“When we receive reports of possible violations of our terms, we act quickly to review and take measures to disable forbidden content. We value collaboration with the Security Research Community and encourage researchers to report suspicion of abuse to AWS Trust & Safety through our dedicated abuse report process.”
Through Bleepingcomputer
