The financially motivated threat actor known as FIN6 has been observed leveraging fake resumes hosted on Amazon Web Services (AWS) infrastructure to deliver a malware family called More_eggs.
“By posing as job seekers and initiating conversations through platforms like LinkedIn and Indeed, the group builds rapport with recruiters before delivering phishing messages that lead to malware,” the DomainTools Investigations (DTI) team said in a report shared with The Hacker News.
More_eggs is the work of another cybercrime group called Golden Chickens (aka Venom Spider), which was most recently attributed to new malware families like TerraStealerV2 and TerraLogger. A JavaScript-based backdoor, it’s capable of enabling credential theft, system access, and follow-on attacks, including ransomware.
One of the malware’s known customers is FIN6 (aka Camouflage Tempest, Gold Franklin, ITG08, Skeleton Spider, and TA4557), an e-crime crew that originally targeted point-of-sale (PoS) systems in the hospitality and retail sectors to steal payment card details and profit off them. It’s operational since 2012.
The hacking group also has a history of using Magecart JavaScript skimmers to target e-commerce sites to harvest financial information.
According to payment card services company Visa, FIN6 has leveraged More_eggs as a first-stage payload as far back as 2018 to infiltrate several e-commerce merchants and inject malicious JavaScript code into the checkout pages with the ultimate goal of stealing card data.
“Stolen payment card data is later monetized by the group, sold to intermediaries, or sold openly on marketplaces such as JokerStash, prior to it shutting down in early 2021,” Secureworks notes in a profile of the threat actor.
The latest activity from FIN6 involves the use of social engineering to initiate contact with recruiters on professional job platforms like LinkedIn and Indeed, posing as job seekers to distribute a link (e.g., bobbyweisman[.]com, ryanberardi[.]com) that purports to host their resume.
DomainTools said the bogus domains, which masquerade as personal portfolios, are registered anonymously through GoDaddy for an extra layer of obfuscation that makes attribution and takedown efforts more difficult.
“By exploiting GoDaddy’s domain privacy services, FIN6 further shields the true registrant details from public view and takedown team,” the company said. “Although GoDaddy is a reputable and widely used domain registrar, its built-in privacy features make it easy for threat actors to hide their identities.”
Another noteworthy aspect is the use of trusted cloud services, such as AWS Elastic Compute Cloud (EC2) or S3, to host phishing sites. What’s more, the sites come with built-in traffic filtering logic to ensure that only prospective victims are served a link to download the supposed resume after completing a CAPTCHA check.
“Only users appearing to be on residential IP addresses and using common Windows-based browsers are allowed to download the malicious document,” DomainTools said. “If the visitor originates from a known VPN service, cloud infrastructure like AWS, or corporate security scanners, the site instead delivers a harmless plain-text version of the resume.”
The downloaded resume takes the form of a ZIP archive that, when opened, triggers an infection sequence to deploy the More_eggs malware.
“FIN6’s Skeleton Spider campaign shows how effective low-complexity phishing campaigns can be when paired with cloud infrastructure and advanced evasion,” the researchers concluded. “By using realistic job lures, bypassing scanners, and hiding malware behind CAPTCHA walls, they stay ahead of many detection tools.”
