Two sentences: Trellix researchers warn that job-themed phishing and malware campaigns surge in economic downturns, targeting job seekers and employers with fake resumes, fake documents, and malicious links. The campaigns leverage typosquatted domains and well-crafted emails to steal data and deliver malware such as Emotet, Agent Tesla, Cryxos, and Nemucod. hashtags: #Emotet #AgentTesla #Cryxos #Nemucod #TypoSquatting #Indeed #LinkedIn
Keypoints
- Cybercriminals exploit economic hardship with job-themed phishing and malware campaigns targeting job seekers and employers.
- Phishing emails impersonate legitimate companies or recruiters to harvest personal information or credentials.
- Malware campaigns use attachments or URLs that infect devices or download additional malicious software.
- Attackers impersonate job seekers to deliver malware to employers via resumes or identification documents.
- Fake or stolen documents (e.g., Social Security numbers, driver’s licenses) increase email credibility.
- Typo-squatting domains of popular job sites (e.g., Indeed, LinkedIn) are being registered to deceive victims.
- Observed malware families include Emotet, Agent Tesla, Cryxos, and Nemucod, with various delivery and propagation methods.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – The article notes emails containing attachments that may direct victims to a phishing page or download malware to their system. ‘The emails either come as a notification of a job vacancy or as a job application which would contain a URL or attachment directing the victim to a phishing page or downloading malware to his system.’
- [T1566.002] Spearphishing Link – The article describes malicious URLs and phishing pages designed to resemble login forms to proceed with the job application. ‘Most of the phishing pages follow the same style in which they were made to resemble a login form to proceed with the job application.’
- [T1583.001] Acquire Infrastructure – Typo squatting domains observed to mimic popular job sites. ‘Typo squatting is a social engineering attack that purposely uses misspelled domains for malicious purposes.’
- [T1105] Ingress Tool Transfer – Nemucod downloads and runs additional malicious files onto the system. ‘Nemucod – Downloads and runs additional malicious files onto the system.’
- [T1110] Brute Force – Emotet proliferates within a network by brute forcing user credentials. ‘The malware then attempts to proliferate within a network by brute forcing user credentials.’
- [T1059.001] PowerShell – Detection signatures include ‘Suspicious PowerShell Usage (METHODOLOGY)’.
Indicators of Compromise
- [Domain] Typosquatted domains used in campaigns – indeed-id.com, indeed-7.com, indeed-a.com, indeed.ch, indedd.com, linkhedin.com, linkegin.com, linkednn.com, and 6 more domains