Cybercriminals Using Fake Government Job Ads To Spread Malware
October 04, 2022 By Omal J
(Image Credit Google)
Cybercriminals who prey on job seekers are distributing Cobalt Strike beacons, viruses, and malware in New Zealand and the United States through fake government job ads. According to researchers from Cisco Talos, an unidentified threat actor is allegedly using the names of the New Zealand Public Service Association and the US Office of Personnel Management (OPM) to send out numerous phishing emails (PSA).
Furthermore, the email asks the recipient to download and open an attached Word document, saying it has further information about the job opportunity.
Execution of code remotely
The document contains malicious macros that, when activated, take advantage of the CVE-2017-0199 remote code execution vulnerability, fixed in April 2017. In addition, when the hacker executes the macro, Word downloads a template for a document from a Bitbucket repository. The template then runs several Visual Basic scripts, which causes a DLL file called "newmodeler.dll" to download. That DLL is a Cobalt Strike beacon.
Moreover, another simpler way of distribution involves getting the malware downloader directly from Bitbucket. Most importantly, with a Cobalt Strike beacon, threat actors can move laterally around the network, map it out, and uncover more sensitive data while remotely executing various commands on the hacked endpoint.
According to the researchers, the beacons connect with a Dutch-based, Alibaba-hosted Ubuntu server. In addition, it contains two self-signed and valid SSL certificates.
Furthermore, Cisco did not identify the threat actors behind these fake government job ads containing malware campaigns. Although one well-known company, Lazarus Group, has recently been involved in several bogus job campaigns. The notorious North Korean state-sponsored threat actor has been targeting blockchain developers, artists working on non-fungible tokens (NFT), and aerospace specialists and political journalists, stealing cryptocurrency and sensitive information.
By Omal J
I worked for both print and electronic media as a feature journalist. Writing, traveling, and DIY sum up her life.