Ta4557

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

TA4557 is a malicious software (malware) that has been uniquely identified by cybersecurity firm Proofpoint due to its distinctive use of tools, campaign targeting, evasion measures, and controlled infrastructure. This malware is particularly notable for its sophisticated spear-phishing strategy, where the threat actor poses as a job applicant to targeted companies. In campaigns observed in early November 2023, TA4557 would ask recipients to refer to the domain name of their email address to access the supposed portfolio, rather than sending the CV website URL directly in a follow-up response. This method is a deviation from traditional direct email attacks, making it harder to detect. The attack commences with an innocuous email and culminates in the deployment of the malware. The malware used by TA4557, known as More_Eggs, hijacks legitimate software functions to establish a backdoor and gather more information about the victim's system. It's worth noting that the exact identity of TA4557 remains elusive due to overlaps in activity with other groups using More_Eggs, such as FIN6, Cobalt Group, and Evilnum. TA4557 employs advanced techniques to bypass common endpoint security measures like secure email gateways. The group lures job recruiters to attacker-controlled websites, exploiting their interest in potential candidates. Previously, Proofpoint had seen TA4557 submit applications containing malicious links through job sites, with the direct email spear-phishing campaign being the group's latest move. This financially motivated threat actor primarily targets recruiters on LinkedIn, distributing the More_Eggs backdoor for nefarious purposes.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
More_eggs	2	More_eggs, also known as Golden Chickens, is a malware suite utilized by financially motivated cybercrime actors such as Cobalt Group and FIN6. This malware-as-a-service (MaaS) offering has been identified as the "cyber weapon of choice" by Russia-based cyber gangs. It was first seen in email campai
FIN6	2	FIN6, also known as ITG08, Skelaton Spider, and MageCart, is a notorious threat actor that has been implicated in various cybercrime activities. The group gained notoriety for stealing credit cards through point-of-sale (POS) systems in retail and hospitality establishments, most notably in the Home

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Proofpoint

Evasive

Phishing

Exploits

Malware

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
EVILNUM	Unspecified	1	Evilnum is a form of malware, first observed and reported in 2018, that is designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or even ho

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Cobalt Group	Unspecified	1	The Cobalt Group is a significant threat actor known for its financially-motivated cybercrime activities. This group, along with the Russian state-sponsored hacking group APT28, was responsible for almost half of all cybersecurity incidents in 2023, according to TechRadar. The Cobalt Group's modus o

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Ta4557 Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	7 months ago	Recruiters, beware of cybercrooks posing as job applicants!
CERT-EU	7 months ago	Hiring? New scam campaign means ‘resume’ downloads may contain malware
CERT-EU	7 months ago	Fake Resumes, Real Malware: TA4557 Exploits Recruiters for Backdoor Access
CERT-EU	7 months ago	Proofpoint Exposes Sophisticated Social Engineering Attack on Recruiters That Infects Their Computers With Malware
CERT-EU	7 months ago	Recruiters, beware of cybercrooks posing as job applicants! - Help Net Security
CERT-EU	7 months ago	TA4557 Targets Recruiters Directly via Email – Global Security Mag Online
InfoSecurity-magazine	7 months ago	Threat Actor Targets Recruiters With Malware