Cybersecurity

A recent security advisory has revealed a sophisticated cybercriminal operation based in Vietnam, targeting professionals in digital advertising and marketing. This operation involves fake job postings on legitimate employment platforms and custom-built recruitment websites to deliver malware and steal credentials.

Technical Overview

The campaign utilizes remote access trojans and credential-harvesting phishing kits, posing a significant threat to corporate advertising and social media accounts. Threat actors create fake company profiles on job boards to deceive applicants into submitting resumes and contact information, establishing a false sense of trust.

Victims believe they are engaging with potential employers, making subsequent communications from attackers appear legitimate. This approach allows threat actors to exploit the information for future cold email campaigns or sell it to other criminal groups.

Target and Methodology

Researchers from Google’s Threat Intelligence Group identified this operation as UNC6229. It primarily targets remote workers in contract or part-time positions, particularly those with access to high-value corporate advertising and social media accounts. These accounts can be exploited to sell advertisements or compromised to other entities.

Delivery Mechanisms and Technical Infrastructure

UNC6229 employs two primary payload delivery methods:

• Password-Protected ZIP Attachments: These are disguised as skills assessments, application forms, or hiring tasks containing remote access trojans for device control.
• Obfuscated Phishing Links: Shortened URLs direct victims to fraudulent interview scheduling portals or assessment platforms, targeting corporate email credentials and handling multi-factor authentication schemes.

The operation abuses legitimate customer relationship management platforms, such as Salesforce, to manage campaigns and bypass email security filters, increasing the authenticity of malicious messages.