A hacking group linked to state actors has been exposed for conducting a deceptive recruitment scheme aimed at spreading specialized malware. The group, identified as Nimbus Manticore, also known as UNC1549 and Smoke Sandstorm, has previously targeted professionals in the aerospace and defense industries across the Middle East and Europe.
Their recent operation underscores an increased level of technical complexity, marrying social engineering with a multi-layered malware distribution strategy that is difficult to uncover.
Deceptive Recruitment Strategy
Initially, the attackers reached out to potential victims on LinkedIn, posing as recruiters for Ebix, a legitimate company in the insurance and banking technology sector. They offered enticing salaries of up to $200,000 to lure victims.
Unsuspecting individuals were directed to a seemingly authentic hiring portal at ebix[.]recruitment-flow[.]com, where they were asked to enter their credentials before being exposed to harmful software.
Advanced Sideloading Techniques
During a recent incident response, Nextron analysts discovered this complex sideloading attack, linking it to Nimbus Manticore. The group maintains consistent tactics across campaigns, even as their tools and payloads evolve.
Upon logging into the counterfeit portal, victims were prompted to download what appeared to be a two-factor authentication app. This app, delivered in a ZIP file, contained the malware disguised as a Microsoft Visual Studio component named setup.exe, which was signed by Microsoft.
Persistence and Evasion Methods
The malware established persistence by creating a scheduled task called “BackupCheck,” ensuring its activation during every login. The payload, disguised as main.dll, communicated with command-and-control servers hosted on Microsoft Azure, making it difficult to detect.
The threat actors employed anti-analysis techniques, including inspecting process names and checking for active debuggers, to evade detection. Despite increased obfuscation, their core functions remained consistent with previous operations.
Protective Measures for Organizations
Organizations can mitigate exposure to such threats by blocking or restricting access to newly registered domains, especially in sensitive departments like HR and finance. Implementing Windows AppLocker to block execution from directories like AppData can also reduce risks.
Additionally, expanding security training to include awareness of social media and job portal-based attacks can help organizations defend against this sophisticated tactic employed by Nimbus Manticore.
For more updates on cybersecurity threats, follow us on Google News, LinkedIn, and X, and set CSN as a preferred source on Google.
