Ta4557

Malware Profile Updated a month ago
Download STIX
Preview STIX
TA4557 is a malicious software (malware) that has been uniquely identified by cybersecurity firm Proofpoint due to its distinctive use of tools, campaign targeting, evasion measures, and controlled infrastructure. This malware is particularly notable for its sophisticated spear-phishing strategy, where the threat actor poses as a job applicant to targeted companies. In campaigns observed in early November 2023, TA4557 would ask recipients to refer to the domain name of their email address to access the supposed portfolio, rather than sending the CV website URL directly in a follow-up response. This method is a deviation from traditional direct email attacks, making it harder to detect. The attack commences with an innocuous email and culminates in the deployment of the malware. The malware used by TA4557, known as More_Eggs, hijacks legitimate software functions to establish a backdoor and gather more information about the victim's system. It's worth noting that the exact identity of TA4557 remains elusive due to overlaps in activity with other groups using More_Eggs, such as FIN6, Cobalt Group, and Evilnum. TA4557 employs advanced techniques to bypass common endpoint security measures like secure email gateways. The group lures job recruiters to attacker-controlled websites, exploiting their interest in potential candidates. Previously, Proofpoint had seen TA4557 submit applications containing malicious links through job sites, with the direct email spear-phishing campaign being the group's latest move. This financially motivated threat actor primarily targets recruiters on LinkedIn, distributing the More_Eggs backdoor for nefarious purposes.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
FIN6
2
FIN6, also known as ITG08, Skelaton Spider, and MageCart, is a notorious threat actor that has been implicated in various cybercrime activities. The group gained notoriety for stealing credit cards through point-of-sale (POS) systems in retail and hospitality establishments, most notably in the Home
More_eggs
2
More_eggs, also known as Golden Chickens, is a malware suite utilized by financially motivated cybercrime actors such as Cobalt Group and FIN6. This malware-as-a-service (MaaS) offering has been identified as the "cyber weapon of choice" by Russia-based cyber gangs. It was first seen in email campai
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Proofpoint
Evasive
Malware
Phishing
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
EVILNUMUnspecified
1
Evilnum is a form of malware, first observed and reported in 2018, that is designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or even ho
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Cobalt GroupUnspecified
1
The Cobalt Group is a significant threat actor known for its financially-motivated cybercrime activities. This group, along with the Russian state-sponsored hacking group APT28, was responsible for almost half of all cybersecurity incidents in 2023, according to TechRadar. The Cobalt Group's modus o
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Ta4557 Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
6 months ago
Proofpoint Exposes Sophisticated Social Engineering Attack on Recruiters That Infects Their Computers With Malware
CERT-EU
6 months ago
Hiring? New scam campaign means ‘resume’ downloads may contain malware
CERT-EU
6 months ago
TA4557 Targets Recruiters Directly via Email – Global Security Mag Online
CERT-EU
6 months ago
Recruiters, beware of cybercrooks posing as job applicants! - Help Net Security
InfoSecurity-magazine
6 months ago
Threat Actor Targets Recruiters With Malware
CERT-EU
6 months ago
Fake Resumes, Real Malware: TA4557 Exploits Recruiters for Backdoor Access
CERT-EU
6 months ago
Recruiters, beware of cybercrooks posing as job applicants!