Threat actors are targeting organizations by disguising their malware payloads as resume submissions to human resources (HR) departments.The team at Arctic Wolf reported that a privately-run malware operation known as Venom Spider has been targeting HR professionals by way of phony resume submissions and fake personal websites pretending to be job seekers.The threat actors are believed to be financially motivated, using its malware to harvest user credentials and account details from infected systems.In the past, the Venom Spider team looked for low-hanging fruit, typically going after e-commerce sites and payment portals. However, the threat actors have broadened their horizons and pivoted to targeting HR portals and job-hunting services such as LinkedIn as the initial threat vector.“The group has historically targeted industry sectors that use online payment portals or e-commerce sites to do business, which in the past has included the retail, entertainment and pharmacy industries,” the researchers explained.“This change is a tactical step up in terms of targeting, as it puts almost every industry and organization in the group’s crosshairs due to the one thing they all have in common: the need to hire new employees.”Typically, the Venom Spider attack begins as a seemingly benign job application submission or link to a professional website. Upon landing on the site, the targeted hiring manager is served with a CAPTCHA challenge that will filter out any automated scanning attempts and provide a supposed air of legitimacy.From there, the target is then offered a download posing as the resume of the so-called applicant. Rather than serving a CV, however, the target obtains and launches a malicious .zip archive.That archive then launches a JavaScript-based malware payload known as “More_eggs”. This is a remote command-and-control tool that gives the threat actor a persistent back door avenue into the target system to further monitor activity and harvest account credentials. The “More_eggs” malware launches WordPad in the foreground to distract the user as it opens up shell access to the threat actor in the background.In short, we finally found some eggs that Americans won’t be lining up to obtain.“This current campaign is utilizing cloud hosted infrastructure and anonymous domain registration. The threat group has taken the time to use multi-level URLs for C2 communication to avoid scanners like Censys and Shodan,” Arctic Wolf’s team explained.“The actors, while using domains that were previously registered, also utilize only subdomains to further impede automated tracking efforts.”The researchers noted that in addition to using living-off-the-land infection techniques that are hard to track at the machine level, the Venom Spider malware operation is particularly nefarious as the group it targets are HR professionals whose entire job revolves around opening email attachments and visiting websites, an activity that also happens to be the best way to obtain a malware infection.“It’s important to understand that in the current economic climate, there may be many hundreds of candidates applying for just a small handful of publicly advertised job listings,” Arctic Wolf VP of threat intelligence Ismael Valenzuela told SC Media.“This gives threat actors an immediate advantage, since recruiters are under intense pressure to sift through hundreds of resumes in a short time span and may not necessarily question the legitimacy of every resume.”
