Looking for a new job or employee has become a more perilous task thanks to recent malware spreading tactics by FIN6. It’s not a new group, but they’ve been playing the long game by creating personal profiles on LinkedIn and Indeed that let them network and converse with recruiters.
These new tactics illustrate how threat groups have evolved to using trusted platforms. In addition, this evolution is also significant as it indicates the group’s shift toward enterprise infiltration, where HR teams are now frontline victims.
Here we take a look at some of what makes the FIN6 “More_eggs” attack work so well.
What Is FIN6?
The cyber threat group known as FIN6 has been active since at least 2015 and began its operation as a financially motivated group that targeted PoS systems in retail and hospitality industries by using malware such as Trinity and FrameworkPOS. The group then moved into Magecart web-skimming, where they injected malicious code, JavaScript (JS), into ecommerce checkouts to grab card information.
Around 2018 or so, the group then evolved its operations into ransomware, deploying Ryuk and LockerGoga, and would collaborate with other cybercriminal groups.
Additionally, the group has several aliases, including Skeleton Spider, Magecart Group 6, ITG08, TAAL, Group G0037, and Camouflage Tempest, that are all related to its different operations.
Current Malware and Techniques
This month revealed a new ploy by the group. We already know that there are nefarious things happening on LinkedIn and Indeed. For example, talks given in April at the Innovate Cybersecurity Summit shared that nation-state groups are creating personas to recruit agents on LinkedIn.
More recently, analysts observed the FIN6 taking aim at recruiters and HR departments by posing as job seekers. This unique twist on social engineering is a novel tactic in hiring-related attacks.
Fake Resumes
The threat actors of FIN6 create resumes that appear convincing that they host on AWS, which makes them seem genuine. In addition, the platform offers them many advantages over previous methods.
Social Engineering
The group begins its attack by initiating contact on professional platforms such as Indeed and LinkedIn, posing as enthusiastic job seekers. They engage with recruiters and HR departments and create network connections to make their activities appear authentic and improve the possibility of their connections trusting the source.
The Phishing Campaign
Next, the job seekers send phishing messages to the connections they’ve made on the platforms. These messages do not include a link but instead insert punctuation such as myname (@) mydomain (.) com and include extra spaces or underscores, which let them bypass automated link detection. This means the targeted recipient must type the URL manually into the browser to reach these fake resume sites.
The domains used frequently include first name and last name combinations, such as ryanberardi[.]com or clarabarton[.]com, to reflect a real applicant, and the domains are often registered through GoDaddy anonymously, which adds another layer of obfuscation. This makes it challenging for threat attribution and takedown efforts. In addition, the privatization used by GoDaddy helps shield the actual registrant details from takedown teams and from the public view.
Other Tactics
FIN6 has added a few security tactics to its sites, such as environmental fingerprinting and behavior checks that verify that only its targets can open its domain landing pages where it hosts the professional portfolios. It also blocks VPN or cloud connections, in addition to connections from Linux or macOS systems.
Security analysts say that they expect that the threat actors behind these domains are using fraudulent or disposable email addresses in addition to foreign or anonymous IP addresses. They likely use stolen or prepaid payment methods to create or maintain the related accounts. All of these combined with domain name themes and impersonation methods are allowing FIN6 to hold on to its infrastructure long enough to carry out phishing campaigns before security researchers or registrars take them down.
More_Eggs Malware
The More_Eggs malware is associated with another cybercrime group known as Golden Chickens. It is typically sold as Malware-as-a-Service (MaaS) to threat actors such as Fin6 and Cobalt Group. It is also known for creating several other malware families. The interconnected nature of cybercrime is emphasized when noting the collaboration between the different malware groups.
More_Eggs is a JavaScript-based backdoor malware that uses Windows services (C:\Windows\System32\cmd.exe) to spread through systems. The More_eggs dropper generates a JS launcher and a payload that will finally deploy the More_eggs backdoor, which steals system data and transfers it to C2 servers.
It poses the following risks:
- Credential Theft: The More_Eggs malware can steal private login data, which puts personal and business accounts at risk.
- System Access: Once the attackers gain access and are inside systems, they can get control of compromised systems, which leads to more exploitation.
- Follow-On Attacks: The More_eggs malware can also facilitate additional attacks such as ransomware installation.
Amazon Web Services
Many organizations have moved to the cloud, hosting full infrastructures or hybrid ones. Cybercriminals and threat groups have paid attention and are hosting their operations in the cloud, too.
By using trusted cloud providers such as AWS, threat groups get several benefits.
- Reliable—Cloud providers such as AWS have a strong infrastructure that can manage significant traffic.
- Obfuscation—Using the cloud, groups like FIN6 can mask or obfuscate their activities easily, which makes it more difficult for them to be tracked by security teams.
- Advanced Evasion Tactics—Traffic filtering is typically included in these sites to only allow potential victims to access the malicious content.
One example is employing CAPTCHA on the phishing sites to separate genuine users from security scanners. Visitors that originate from a cloud infrastructure or a known VPN will get a harmless version of the resume rather than a malware-infected one.
The Human Factor
Typical security systems should detect malware such as More_eggs, but operational needs of the business, human error, and potential misconfigurations increase the risk for the malware to bypass detections.
These attacks target HR professionals who receive emails with external documents regularly, which makes them vulnerable to these attacks.
The combination of its tactics and techniques is what makes the FIN6 More_eggs campaign and attack specifically effective. These include sophisticated technical evasion, abuse of trusted infrastructure, professional social engineering, and human psychology exploitation—making traditional security methods not very effective in detecting and preventing them.
Remediation and Detection
While detection and remediation can be a challenge, we’ve uncovered a few places that are helpful for security teams to review.
These artifacts can help when hunting for the More_eggs malware:
- Watch for unexpected launches of Microsoft Word or WordPad, often triggered by LNK files to distract users while the payload runs. Check process trees for cmd.exe spawning these apps alongside suspicious binaries (ieuinit.exe).
- Monitor ieuinit.exe executions from %temp%, not %windir%\system32. More_Eggs uses this LOLBAS with arguments like -basjestings to parse ieuinit.inf.
- Search %temp% for ieuinit.inf and ieuinit.exe, and remove them.
- Flag LNK files within ZIP attachments. More_Eggs attacks commonly involve ZIP files that contain both a malicious LNK file and a decoy JPG image.
It’s also critical to ensure that all teams check that:
- Secure configurations are applied to all devices.
- Security updates are downloaded and applied.
- Tamper protection settings, where available, in security products are enabled.
- Obsolete platforms are segregated away from the rest of the network.
- IT usage policies are reinforced by regular training. This helps to ensure all users know not to open unsolicited links or attachments.
- Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
- Administrative accounts are only used for necessary purposes.
- Remote administration services use strongly encrypted protocols and only accept connections from authorized users or locations.
- Systems are continuously monitored; any unusual activity is investigated. This will help ensure that a compromise of the network is detected as early as possible.
The Indicators of Compromise (IOCs) can be found in this GitHub repository.