The Curious Case of an Excellent Resume
Dec. 4, 2024, 9:38 p.m.
Tags
External References
Description
This report details a malicious campaign where the threat actor gained initial access through a resume lure as part of a TA4557/FIN6 operation. The actor employed techniques like abusing legitimate binaries, establishing Cobalt Strike and Pyramid C2, exploiting CVE-2023-27532 for lateral movement, and using Cloudflared for tunneling traffic.
Date
Published: Dec. 4, 2024, 8:55 p.m.
Created: Dec. 4, 2024, 8:55 p.m.
Modified: Dec. 4, 2024, 9:38 p.m.
Indicators
cbe1f43ad7a19c97a521a662dd406a3fb345ae919271cefc694a71e55fe163f5
ffc89a2026fa2b2364dd180ede662fa4ac161323388f3553b6d6e4cb2601cb1f
fe63fdf34d66f1658e2c9227ac84adffaa2cbb8b689999d4d1ebc733fc5f0fce
bd3df53a397af4fe5e1441b2c91a6149bac9d26c94e46de9dbcbfa9b8647a935
b56d2e095dc6c2171e461ca737cbdc0a35de7f4729b31fe41258f9cbd81309a1
a26379ad2eb9de44691da254182ca65fb32596fe1217fe4fbddb173f361a0a9b
95634a5c6a8290aaa9d287f28c7d22b3b7ca1cf974339fc89ea4d542fa2ec45a
757e297137e8ed21622297ae8885740b5beb09bc07141cf8ce7b24dbd95bdaf0
6f12dc858631cf90cd4fef57fbb52675b8649d777c7f86384c6535da0a59ad67
4569c869047a092032f6eac7cf0547591a03a0d750a6b104a606807ea282d608
4b8be22b23cd9098218a6f744baeb45c51b6fad6a559b01fe92dbb53c6e2c128
408f1f982bef7ab5a79057eec4079e5e8d87a0ee83361c79469018b791c03e8f
29bc115b5ae8cf19578c1c6a6743c3e53b9247d8eb6c556bc9d056994c58835b
228cd867898ab0b81d31212b2da03cc3e349c9000dfb33e77410e2937cea8532
aaa6041912a6ba3cf167ecdb90a434a62feaf08639c59705847706b9f492015d
a8a7fdbbc688029c0d97bf836da9ece926a85e78986d0e1ebd9b3467b3a72258
172.96.139.82
144.208.127.15
108.174.197.15
pin.howasit.com
Attack Patterns
Cloudflared
Terra Loader
More_eggs - S0284
Cobalt Strike - S0154
TA4557/FIN6
T1069.002
T1069.001
T1217
T1087.001
T1003.001
T1021.001
T1059.006
T1135
T1053.005
T1482
T1087.002
T1018
T1136
T1059.001
T1572
T1555
T1518.001
T1070.004
T1562.001
T1204.002
T1105
T1083
T1046
T1566
T1090
T1068
CVE-2023-27532