The Growth in Job Posting Spear Phishing Techniques: A Case Study
Growth in Job posting spear phishing
  • Table of contents

The author

user_image
Yuval Shnitzer
Share on LinkedIn

Or is a Threat Intelligence Team leader at Cyberint, while Yuval is a Cyber Intelligence Analyst. Together the hold many years of experience in the Threat Intelligence field.

Table of contents

Related Articles

Akira Ransomware
Research

Akira Ransomware: Published Over 30 New Victims on their DLS

Akira, a rising ransomware-as-a-service star was discovered in March 2023. Since then its victim count...
Nov 18, 2024
Learn more
Coral
Research

Not Your Grandfather’s Hacktivists: How Hacktivism Has Evolved

Fig 1: Crowd Sourcing to campaign against Israel Fig 2: Crowdsourcing to campaign against Russia...
Nov 14, 2024
Learn more
Research

The Growth in Job Posting Spear Phishing Techniques: A Case Study

Jul 17, 2023

Or Shichrur & Yuval Shnitzer

In recent years, fake job hiring scams have become a common form of social engineering. Threat actors use these scams to steal money, launder money, commit identity theft, or carry out other fraudulent or illegal activities.

The motives of threat actors behind fake job hiring scams vary. Some are simply looking to make a quick buck, while others are more interested in stealing personal information or committing identity theft. Still others use these scams to carry out more complex fraudulent or illegal activities.

Fake recruiters often use catfishing tactics to lure jobseekers into scams. They offer lucrative jobs, only to deceive applicants and perpetrate malicious activities such as malware installation, monetary theft, or identity theft.

These scammers don’t target just anyone. They specifically target vulnerable jobseekers, such as people who are unemployed or who are looking for work-from-home opportunities.

As technology advances, threat actors’ methods evolve as well. Trojan viruses are one of their most powerful tools. The amount of malware circulating online is increasing exponentially, and spear phishing is becoming an increasingly popular way to deploy malicious software.

This case study by Cyberint provides an in-depth look at the dangers posed by Trojan viruses. It offers valuable insights into the challenges organizations face in combating these cyber threats and impersonations. The study also reveals the presence of multiple Trojan horses camouflaged within ZIP files, which specifically target and impersonate certain companies in order to exploit employees and job applicants.

Spear Phishing Technique: Fake Job Listings & Exposed Files

Cyberint detected a spear phishing and information theft pattern online in the form of fake job listings or exposed internal corporate files. Many malicious applications (disguising themselves as PDF, XLS, and DOC files by altering their icons) were discovered, potentially impersonating hundreds of companies. Those files are distributed as a ZIP file and target employees or job applicants with promising titles such as “Job Plan Description for the Position of Director” or “Salary and Benefits”.

Figure 1: The Same File Under Different Names
Figure 1: The Same File Under Different Names

Additionally, the applications were sophisticatedly disguised among “legitimate” company-related files, such as images or videos.

Figure 2: The Files Within the Malicious ZIP
Figure 2: The Files Within the Malicious ZIP

Fake Job Listing Victimology

Below is a list of multiple companies’ descriptions, among many others, which were found to be targeted by this campaign:

  • One of the largest Japanese multinational conglomerate corporations, known for its electronics
  • An elite Italian luxury fashion house
  • A leading French cosmetics and the world’s largest personal care company
  • An American worldwide clothing retailer, especially known for its jacket and jeans
  • A prestigious Italian luxury fashion house, very known for its producing fur, leather goods, shoes, fragrances, eyewear, etc.
  • A renowned Italian luxury clothing company

Metadata Analysis

Furthermore, upon file inspection Cyberint identified identical information about the threat actor across multiple files’ properties. Cyberint was able to uncover findings related to the Metadata of the executable file.

Figure 3: The Digital Signature Information
Figure 3: The Digital Signature Information

A direct translation of the signer’s name (Cong Ty Tnhh Cao Su Minh Khang) is “Minh Khang Rubber Co., Ltd”, which raised suspicions of it being a shell company. However, further investigation using the email indicated that the threat actor could be named “Hung Ta Duc”. We believe that additional information is yet to be uncovered.

IP Traffic Examination and Digital Forensics

During the forensics investigation it was apparent that the ZIP files were downloaded from OneDrive. The threat actors abuse OneDrive’s authenticity to gain credibility to deceive the victims. Threat actors commonly use OneDrive, Dropbox, and SharePoint in social engineering campaigns. Shortly after the campaign began, the items disappeared from OneDrive, which may indicate an attempt by the threat actor to conceal their tracks. After executing the EXE files, the malware generates additional files that can affect the operating system.

Figure 4: Multiple File Generated by The Malware
Figure 4: Multiple File Generated by The Malware

In addition, multiple Antivirus scanners deemed the type of these malware to be Ducktail. The Ducktail info stealer malware is developed using .NET Core. Threat actors using this malware employ Telegram as a platform for Command-and-Control Communication (C&C) and data exfiltration. C&C Communication is a technique used by threat actors to establish control over compromised devices via network communication. When executed by the victim, the malware additionally scans for installed browsers on the compromised device to extract stored cookies and other relevant data.

Telegram Bot

During the forensic analysis, it was clear that the malicious applications generated multiple files on the compromised machine. Notably, one of these files appears to be linked to a Telegram Bot, implying that it may serve as the channel through which the threat actor acquires information from the compromised system. This could potentially be utilized for C&C communications. Further analysis revealed that the extracted malware also engages in communication with certain domains and IP addresses.

Figure 5: Domain’s and IP’s Correlation to The Malware
Figure 5: Domain’s and IP’s Correlation to The Malware
Figure 6: The Output from a Telegram Bot, displaying the victims’ email addresses
Figure 6: The Output from a Telegram Bot, displaying the victims’ email addresses
Got questions for a Cyberint analyst? Contact us today!

Threat Actor Modus Operandi

Based on the available evidence, the following can be interpreted as the modus operandi of the threat actor:

TTP of malicious zip file communication with Telegram Bot

While the main objective for these Threat Actors is typically financial gain, the information they obtain can also be used to carry out more serious attacks, such as identity theft. This allows them to open new credit card accounts, access the victim’s existing accounts on different platforms, take out loans in the victim’s name, and engage in a variety of fraudulent activities that can have significant financial and legal consequences for the victim.

Recommendations

  1. Raising Awareness
    Cyberint recommends organizations that suspect they are being targeted by malicious files to raise awareness about suspicious files, and to enhance the security awareness programs by showing varied examples of similar threats that are on the rise.
    In addition, as these threats are evolving, it’s highly advisable to raise the awareness of all HR-related employees about such threats, that might affect job applicants as part of impersonations and fake job listings.
  2. Ensuring Secure Downloads
    Cyberint advises organizations to direct their users to the official platforms where they can download legitimate company programs and files.
  3. Blocking Similar Threats
    To prevent similar threats, Cyberint suggests the following measures:
    – Analyze the malicious file’s behavior and extract malicious IOCs to block.
    – Block any IOCs associated with these malicious files from the company’s internal systems.
  4. Retroactive Scanning
    Cyberint advises conducting scans retroactively to check whether the IOCs were already detected in any of the company’s systems (also known as “Hunting queries”).
  5. Authenticating Users: In general, other remediation steps for malicious files targeting employees include implementing a Multi-Factor Authentication (MFA; encompassing authentication, or 2FA) mechanism to ensure that even if threat actors do gain valid employee credentials, they won’t be able to access the company’s platforms.
  6. Implementing a Strong Password Policy: In addition, it is advised to set a strong policy password and to enforce all employees to change their passwords every prescribed number of days (preferably every 90-120 days).

Cyberint’s Phishing Protection

Cyberint is constantly on the lookout for new malware threats, monitoring forums, marketplaces, and code repositories to detect and intercept them before they can be used by cybercriminals. We help our customers defend against these threats and take them down in time. We drastically reduce response time and number of attacks and detect malicious website clones before they go live. Companies can request take down of phishing pages in a click of a button.

Schedule a Demo

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start