In March 2024, a sophisticated cyber attack was detected that began with a weaponized resume and led to the compromise of several servers within an organization. The attack was attributed to the threat actor group TA4557, which has a history linked to other well-known groups like FIN6. The attackers used social engineering tactics, delivering a malicious job application that contained a zip file named “John Shimkus.zip.” Within the zip file, a Windows Shortcut (.lnk) file, when executed, unleashed a series of malware components, marking the beginning of the multi-stage attack.
The first step of the infection involved the execution of the .lnk file, which abused the legitimate Microsoft executable, ie4uinit.exe, to deploy the more_eggs backdoor. This backdoor established a persistent communication channel with the command-and-control (C2) server, facilitating further malware deployment. The attackers leveraged the msxsl.exe binary and LOLBin (Living Off the Land Binaries) techniques to maintain stealth, evading detection while taking control of the victim’s system.
Once the initial infection was successful, the attackers moved swiftly to escalate privileges and gain full control over the organization’s servers. They exploited a known vulnerability, CVE-2023-27532, in Veeam software used for backup purposes. This allowed them to execute arbitrary SQL commands, create new local administrator accounts, and further compromise the organization’s environment. The attackers then used Remote Desktop Protocol (RDP) to connect to the infected servers, installing Cloudflared for tunneling traffic and maintaining access for further exploitation.
The attack demonstrated a combination of advanced exploitation techniques, credential access methods, and strategic network mapping. Tools like Seatbelt, SharpShares, and SoftPerfect Network Scanner were used to explore the environment and gather credentials from LSASS memory. Two primary C2 channels were detected, with the more_eggs payload communicating with pin.howasit[.]com, while the Cobalt Strike beacon connected to shehasgone[.]com. This sophisticated multi-stage attack highlights the need for organizations to implement strong cybersecurity practices to detect and mitigate complex threats that blend social engineering, vulnerability exploitation, and post-exploitation activities.
Reference:
