Fraud Management & Cybercrime,
Social Engineering
Russian-Speaking Hacker Group FIN6 Employs Job Fraud Tactics
A financially-motivated hacking group known as FIN6 is reportedly engaging in job fraud by impersonating job candidates to target recruiters, utilizing fake resumes hosted on reputable cloud platforms to deploy covert malware.
According to researchers from DomainTools, FIN6, which is also referred to as Skeleton Spider, meticulously engages with recruiters on platforms like LinkedIn and Indeed, convincingly presenting realistic resumes and maintaining professional interactions. This strategy is designed to facilitate the delivery of malware payloads via cloud-based infrastructures that can bypass traditional security measures.
Historically, cybercriminals have used the guise of recruiters to lure job seeking individuals into downloading malware under the pretense of assessment tasks. This method sees notable adoption not only by North Korean hackers but also by various groups emulating their tactics, as highlighted in reports of Iranian Threat Actors Mimic North Korean Job Scam Techniques.
Transitions in FIN6’s operational strategy have marked its evolution since its inception in 2014. This group’s latest maneuver shifts the focus from targeting job seekers directly to fostering relationships with recruiters. They amplify their schemes by dispatching phishing communications that refer to non-clickable URLs, compelling recruiters to manually input these addresses into their browsers—thereby evading security tools that monitor embedded links.
The domains associated with this scam are registered anonymously and are designed to mimic legitimate applicant identities. These domains host landing pages that pose as professional portfolios, utilizing Amazon Web Services infrastructure. Sophisticated traffic filtering mechanisms discern genuine user interactions, allowing for selective distribution of either malware or benign files.
Only connections deemed as legitimate—those originating from residential IP addresses, utilizing standard Windows browsers, and passing Captcha checks—are granted access to a zip file. This archive disguises a malicious .lnk shortcut as a resume. The execution of this link initiates the download of a sophisticated backdoor, known as more_eggs, which is linked to the Venom Spider cybercrime group.
Once executed, the more_eggs malware operates entirely in memory, facilitating credential theft, remote command executions, and the possibility of ransomware deployment. Utilizing native Windows functions such as wscript.exe and regsvr32.exe, the malware employs strategies known as “living off the land” or LOLBins to remain undetected by security systems.
Additionally, FIN6 ensures persistence through the use of Windows registry keys and scheduled tasks, enhancing their foothold within compromised systems.
Various domains confirmed to be part of this malicious campaign include davidlesnick.com, kimberlykamara.com, and alanpower.net, each hosted on AWS infrastructures.
