Cybercriminals Weaponize Job Platforms: FIN6 Group Exploits LinkedIn and Indeed to Spread Malware Through Fake Resumes
The cybercriminal organization FIN6 has adopted a sophisticated social engineering approach, using fraudulent job seeker profiles to target recruiters on professional networking platforms like LinkedIn and Indeed. According to research from DomainTools Investigations (DTI), the group distributes the More_eggs malware through fake resume websites hosted on Amazon Web Services infrastructure.
The cybercriminal organization FIN6 has adopted a sophisticated social engineering approach, using fraudulent job seeker profiles to target recruiters on professional networking platforms like LinkedIn and Indeed. According to research from DomainTools Investigations (DTI), the group distributes the More_eggs malware through fake resume websites hosted on Amazon Web Services infrastructure.
The Attack Strategy
FIN6 operatives create convincing job seeker personas and engage recruiters in seemingly legitimate conversations on employment platforms. After establishing trust, they share links to websites that appear to contain their professional resumes. These malicious domains, such as bobbyweisman[.]com and ryanberardi[.]com, masquerade as personal portfolio sites.
The threat actors register these domains anonymously through GoDaddy, utilizing the registrar's privacy protection services to conceal their true identities and complicate takedown efforts. This approach leverages the reputation of legitimate cloud services like AWS EC2 and S3 to host their phishing infrastructure.
Advanced Evasion Techniques
The fraudulent resume sites incorporate sophisticated filtering mechanisms to avoid detection by security tools. The websites employ CAPTCHA verification and analyze visitor characteristics before delivering malicious content. Only users accessing the site from residential IP addresses using standard Windows browsers receive the malicious resume download. Visitors from VPN services, cloud infrastructure, or corporate security scanners are instead served a benign text version of the resume.
When victims download what they believe is a resume, they receive a ZIP file that initiates the More_eggs malware installation process upon extraction.
The More_eggs Malware Connection
More_eggs is developed by the Golden Chickens cybercrime group (also known as Venom Spider), which has recently been linked to additional malware variants including TerraStealerV2 and TerraLogger. This JavaScript-based backdoor enables attackers to steal credentials, maintain system access, and conduct subsequent attacks, including ransomware deployment.
FIN6's Criminal Background
Active since 2012, FIN6 (operating under various aliases including Camouflage Tempest, Gold Franklin, ITG08, Skeleton Spider, and TA4557) initially focused on compromising point-of-sale systems in retail and hospitality environments to harvest payment card information. The group has also employed Magecart JavaScript skimmers to target e-commerce platforms.
Historical analysis by Visa indicates that FIN6 has utilized More_eggs as an initial attack vector since at least 2018, specifically targeting e-commerce merchants to inject malicious scripts into checkout processes for financial data theft. The stolen payment information is then monetized through direct sales to intermediaries or on underground marketplaces.
Key Takeaways
This campaign demonstrates how cybercriminals effectively combine low-complexity social engineering with sophisticated technical evasion methods. By leveraging trusted cloud infrastructure, implementing advanced filtering techniques, and using realistic employment-related lures, FIN6 successfully evades many conventional security detection systems.
The use of legitimate job platforms as an initial attack vector highlights the evolving nature of cyber threats and the importance of maintaining vigilance across professional networking channels.
