%temp%\ieuinit.inf and writes obfuscated commands to it, including a Windows batch file.When this code is executed, Microsoft WordPad is automatically launched in a ploy to distract the user, who is meant to believe the promised resumé is being opened. The batch script will then covertly launch the legitimate Windows utility %windir%\system32\ie4uinit.exe, which in turn executes the commands from the file ieuinit.inf. The contents of this file will trigger execution of commands within the malicious %temp%\ieuinit.inf file. “This is a living-off-the-land (LOTL) technique that has been around for a while,” the report noted. Its purpose in this case is to use a legitimate application in this case, ie4uinit.exe to execute commands and run JavaScript code. The ieuinit.inf file contains the URL of the next step in the attack chain, downloading the More_eggs dropper. Its executable library is complex, utilizing obfuscated code that generates JavaScript code polymorphically. Execution of the library is time-delayed to evade sandboxing and analysis by researchers.Experts say resume scams are a long-time and successful tactic, because hiring officers are used to opening attachments that are supposed to contain a CV. In addition to data theft, another goal can be espionage, so targets include government departments, defense manufacturers, and IT companies and critical infrastructure providers.One trick: The applicant includes a password for opening the supposed resumé in their email. That’s a tactic to make it harder for email gateways to directly screen the attachment. In 2018, Mailguard, an Australian email security provider, warned of a phishing campaign using this tactic.Another tactic is an email that goes to an organization’s managers, purporting to come from HR, with an attachment supposedly of approved hires. Organizations that use of third-party job posting websites, including sites such as LinkedIn and Indeed.com, should regularly train employees to identify and counter spear phishing attacks, said Arctic Wolf.”Venom Spider has deliberately engineered their campaign to circumvent signature-based detection systems,” said Ismael Valenzuela, vice president of threat research and intelligence at Arctic Wolf, in an email. “Effective mitigation should integrate targeted controls with scalable email defenses. Secure email gateways can be configured to block file extensions commonly exploited in these campaigns, while system administrators can implement granular policy restrictions on workstations. Network segmentation limits the blast radius in the event of a compromise and frustrates threat actors’ attempts to move laterally upon gaining access.” “Managed Detection and Response solutions function as one of the final defensive layers, though numerous opportunities exist to interrupt the infection chain earlier,” he added. “Effective cybersecurity ultimately depends on a layered approach rather than overreliance on any single protective measure.”He provided these recommendations for CISOs, to help mitigate the threat:
Consider the use of Secure Email Gateway solutions to help proactively filter out malicious emails. Implement an Endpoint Detection and Response (EDR) solution. Ensure all employees throughout the company are aware of security best practices, including awareness of social engineering techniques. Additional care is required when staff are expected to regularly intake and review documents from the public, such as resumés and online portfolios. Employees should be cautioned that certain file extensions such as LNK, VBS or ISO may be malicious and should not be opened. Zip files may bypass automatic email security filters, so additional care should be taken to preview the contents of enclosed files before opening them. Add or enable a phishing report button in your organization’s email solution, to empower employees to immediately report suspected phishing emails to your SOC or IT security team. Consider conducting regular internal phishing tests to reinforce security training. It is vital for leadership to create a streamlined process for staff to report suspicious activity without fear of judgement. Positive feedback should be provided to those who successfully identify phishing drills, but it is also important to avoid punishing or “naming and shaming” those who fall for phishing test emails. By creating an environment that encourages vigilance, phishing attempts can be caught well before they cause a major incident. Leadership must acknowledge that even well-trained staff may make mistakes when socially engineered to believe that there is an emergency. Threat actors may use language in their phishing emails that is deliberately calculated to inspire urgency or fear, such as spoofed emails from leadership requesting the employee take immediate action or face the consequences. Block identified command-and-control infrastructure used in this campaign.”¯ Deploy detection rules for malicious components used by More_eggs malware.”¯ Carefully review logs for indicators of compromise.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3977803/fake-resumes-targeting-hr-managers-now-come-with-updated-backdoor.html
