Threat Research

Security Brief: TA4557 Targets Recruiters Directly via Email    | Proofpoint US

Proofpoint

TA4557 has shifted to directly emailing recruiters with benign-looking inquiries that, once replied to, lead recipients to actor-controlled fake resume websites which deliver a ZIP containing a malicious LNK that ultimately installs the More_Eggs backdoor. The campaign employs living-off-the-land binaries (ie4uinit.exe, regsvr32), WMI/ActiveX for execution, and anti-analysis techniques to evade detection. #TA4557 #More_Eggs

Keypoints

  • Since Oct 2023 TA4557 began sending direct, benign-looking emails to recruiters; a reply triggers the malicious chain.
  • Actor replies include either a URL to a fake resume site or a PDF/Word attachment instructing the recipient to visit the site.
  • Fake resume sites apply filtering and a CAPTCHA; passing checks causes a ZIP download containing a shortcut (LNK) file.
  • The LNK abuses ie4uinit.exe to reference ie4uinit.inf and download/execute a scriptlet (LOTL behavior).
  • The scriptlet decrypts and drops a DLL to %APPDATA%Microsoft, then attempts execution via regsvr32 spawned through WMI or ActiveX Run.
  • The DLL contains sandbox/debug evasion (execution-delay loop, NtQueryInformationProcess checks), retrieves an RC4 key, and drops the More_Eggs backdoor and MSXSL, with More_Eggs used for persistence, profiling, and further payload delivery.
  • Observed IOCs include actor-controlled resume domains (e.g., wlynch.com, annetterawlings.com) and multiple SHA256 payload hashes.

MITRE Techniques

  • [T1566.002] Spearphishing Link – Used when the actor replies with ‘a URL linking to an actor-controlled website posing as a candidate resume.’
  • [T1566.001] Spearphishing Attachment – Used when the actor replies with ‘a PDF or Word attachment containing instructions to visit the fake resume website.’
  • [T1204] User Execution – The attack requires recipient interaction (completing CAPTCHA and executing the LNK) to proceed: ‘CAPTCHA which, if completed, will initiate the download of a zip file containing a shortcut file (LNK).’
  • [T1218] Signed Binary Proxy Execution – Abuse of legitimate binary ‘ie4uinit.exe’ to download and run a scriptlet: ‘abuses legitimate software functions in “ie4uinit.exe” to download and execute a scriptlet from a location stored in the “ie4uinit.inf” file.’
  • [T1218.005] Regsvr32 – The DLL execution is attempted by creating ‘a new regsrv32 process to execute the DLL using Windows Management Instrumentation (WMI)’.
  • [T1105] Ingress Tool Transfer – Downloading of the scriptlet and subsequent payloads from actor-controlled infrastructure: ‘download and execute a scriptlet from a location stored in the “ie4uinit.inf” file.’
  • [T1059] Command and Scripting Interpreter – The downloaded scriptlet decrypts and writes a DLL and orchestrates further execution: ‘The scriptlet decrypts and drops a DLL in the %APPDATA%Microsoft folder.’
  • [T1497] Virtualization/Sandbox Evasion – DLL implements timing loops and debug checks to evade sandbox analysis: ‘incorporates a loop specifically designed to retrieve the RC4 key… extend its execution time… employs multiple checks to determine if it is currently being debugged, utilizing the NtQueryInformationProcess function.’

Indicators of Compromise

  • [Domain] fake resume sites used in lure – wlynch.com, annetterawlings.com
  • [SHA256] payload/file hashes – 9d9b38dffe43b038ce41f0c48def56e92dba3a693e3b572dbd13d5fbc9abc1e4, 6ea619f5c33c6852d6ed11c52b52589b16ed222046d7f847ea09812c4d51916d, and 1 more hash

Technical procedure (concise): TA4557 initiates engagement with recruiters via benign-looking emails; once the target replies, the actor provides either a direct URL to an actor-controlled fake resume site or a document instructing the user to visit that site. The fake site applies environment filtering and, for targets that pass checks, serves a CAPTCHA that, when completed, triggers a ZIP download containing an LNK shortcut.

Execution chain: the LNK leverages ie4uinit.exe to read an ie4uinit.inf entry that points to and downloads a scriptlet (LOTL). The scriptlet decrypts and drops a DLL under %APPDATA%Microsoft, then attempts to execute it by spawning regsvr32 through WMI; if that fails, it tries an ActiveX Run-based method. The DLL contains anti-analysis measures (timing loops and NtQueryInformationProcess debug checks), extracts an RC4 key, and then drops the More_Eggs backdoor along with the MSXSL executable.

Post-compromise behavior: MSXSL is launched (via WMI) and the initial DLL removes itself. More_Eggs provides profiling, persistence, and a mechanism to fetch and deploy additional payloads. Defenders should focus detection on the hosting domains, the ZIP/LNK delivery pattern, ie4uinit/ie4uinit.inf scriptlet downloads, regsvr32/WMI execution attempts, and the listed SHA256 hashes.

Read more: https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta4557-targets-recruiters-directly-email