FIN6 attackers target recruiters with fraudulent resumes

The FIN6 hacking group, also known as Skeleton Spider, has been spotted impersonating job seekers to target recruiters with malware.

Contacting recruiters and HR departments on sites such as LinkedIn or Indeed, the group is submitting convincing-looking job resumes containing phishing links. These links lead to the applicant's 'personal website', said to contain their resume. The links are given in a 'johnsmith[.]com format.

"The faulty links are crafted in a way that evades detection and blocking, requiring recipients to type them on their browsers manually," said Andrew Costis, engineering manager of the adversary research team at AttackIQ.

"The domains are registered anonymously, and come equipped with environmental fingerprinting and behavioral checks to ensure that only the target can open the landing pages."

In a new report by DomainTools, researchers identified a number of these domains hosted on AWS infrastructure, including bobbyweisman[.]com, emersonkelly[.]com, and davidlesnick[.]com.

"It is likely the actors behind these domains use disposable or fraudulent email addresses, anonymous or foreign IP addresses, and prepaid or stolen payment methods to create and maintain these accounts," the researchers said.

"Combined with the use of resume-themed domain names and impersonation techniques, this registration strategy allows FIN6 to keep their infrastructure alive just long enough to carry out active phishing campaigns while avoiding rapid takedown by security researchers or registrars."

The researchers said that, when accessed, the sites often display a professional-looking fake resume, lulling recruiters into a false sense of security.

Meanwhile, to help them stay under the radar, the attackers use traffic filtering techniques to control who can access the malicious content, with only users appearing to be on residential IP addresses and using common Windows-based browsers allowed to download the malicious document.

If the visitor is coming via a known VPN service, cloud infrastructure like AWS or corporate security scanners, the site instead delivers a harmless plain-text version of the resume.

DomainTools said that one of the group's favorite payloads is more_eggs, a stealthy JavaScript-based backdoor developed by the Venom Spider group, also known as Golden Chickens, and offered as malware-as-a-service.

The more_eggs malware facilitates credential theft, system access and follow-on attacks, including the use of ransomware. And FIN6 has been using this malware since at least 2018, with Visa warning in 2019 that the group was targeting e-commerce firms, placing skimming malware on their checkout pages.

"What makes FIN6 a particularly dangerous group is the length of time they've survived and the breadth of different attack tactics they've been observed implementing," said Costis.

"The group has compromised point-of-sale systems to conduct financial fraud, expanded into ransomware attacks, and most recently used social engineering campaigns to deliver malware-as-a-service JavaScript backdoors for credential theft. This vast pool of experience makes them especially threatening to unprotected data."