The Curious Case of an Excellent Resume
Dec. 4, 2024, 9:38 p.m.
Description
This report details a malicious campaign where the threat actor gained initial access through a resume lure as part of a TA4557/FIN6 operation. The actor employed techniques like abusing legitimate binaries, establishing Cobalt Strike and Pyramid C2, exploiting CVE-2023-27532 for lateral movement, and using Cloudflared for tunneling traffic.
Tags
Date
- Created: Dec. 4, 2024, 8:55 p.m.
- Published: Dec. 4, 2024, 8:55 p.m.
- Modified: Dec. 4, 2024, 9:38 p.m.
Indicators
- cbe1f43ad7a19c97a521a662dd406a3fb345ae919271cefc694a71e55fe163f5
- ffc89a2026fa2b2364dd180ede662fa4ac161323388f3553b6d6e4cb2601cb1f
- fe63fdf34d66f1658e2c9227ac84adffaa2cbb8b689999d4d1ebc733fc5f0fce
- bd3df53a397af4fe5e1441b2c91a6149bac9d26c94e46de9dbcbfa9b8647a935
- b56d2e095dc6c2171e461ca737cbdc0a35de7f4729b31fe41258f9cbd81309a1
- a26379ad2eb9de44691da254182ca65fb32596fe1217fe4fbddb173f361a0a9b
- 95634a5c6a8290aaa9d287f28c7d22b3b7ca1cf974339fc89ea4d542fa2ec45a
- 757e297137e8ed21622297ae8885740b5beb09bc07141cf8ce7b24dbd95bdaf0
- 6f12dc858631cf90cd4fef57fbb52675b8649d777c7f86384c6535da0a59ad67
- 4569c869047a092032f6eac7cf0547591a03a0d750a6b104a606807ea282d608
- 4b8be22b23cd9098218a6f744baeb45c51b6fad6a559b01fe92dbb53c6e2c128
- 408f1f982bef7ab5a79057eec4079e5e8d87a0ee83361c79469018b791c03e8f
- 29bc115b5ae8cf19578c1c6a6743c3e53b9247d8eb6c556bc9d056994c58835b
- 228cd867898ab0b81d31212b2da03cc3e349c9000dfb33e77410e2937cea8532
- aaa6041912a6ba3cf167ecdb90a434a62feaf08639c59705847706b9f492015d
- a8a7fdbbc688029c0d97bf836da9ece926a85e78986d0e1ebd9b3467b3a72258
- 172.96.139.82
- 144.208.127.15
- 108.174.197.15
- pin.howasit.com