A recent discovery by Cyble threat intelligence researchers has unveiled a deceptive GitHub repository posing as a coding challenge for job applicants that is, in reality, a malicious ploy to extract sensitive information from unsuspecting developers. The method used in this campaign is quite unconventional, as it involves using a social media profile for command and control (C&C) activities instead of the more commonly used C&C servers.
What started as a scheme targeting Polish developers through a fake hiring challenge named “FizzBuzz” has now escalated to include invoice-themed lures, according to the findings of Cyble Research and Intelligence Labs (CRIL) researchers. The malware responsible for this nefarious activity, dubbed “FogDoor,” is designed with features for persistence, data theft, and remote command execution while evading detection.
The phishing tactic employed in this scam involves tricking victims into downloading an ISO file containing a JavaScript exercise and a malicious LNK shortcut under the guise of a coding test. Once executed, the LNK file installs the backdoor by running a PowerShell script, initiating the covert activity of the FogDoor malware.
In a notable departure from the norm, FogDoor eschews the use of traditional C&C servers and instead establishes communication with a social media platform using a Dead Drop Resolver (DDR) technique. This enables the malware to receive commands from a social media profile, effectively creating a stealthy means of orchestrating attacks.
The geofencing feature of FogDoor restricts its functionality to Polish victims, ensuring targeted data theft. Once operational, the malware systematically collects browser cookies, Wi-Fi credentials, and system data for exfiltration, all while covering its tracks by deleting any incriminating evidence.
Moreover, the malware utilizes remote debugging to pilfer Chrome cookies and extract Firefox credentials from profile directories. The PowerShell script further misleads users by opening a harmless-looking text file, prompting victims to unwittingly facilitate the malicious activities of the backdoor.
SkyWatchWeather.exe, the executable file downloaded by the PowerShell script, serves as a backdoor for the malware, utilizing a social media platform and a temporary webhook service as its C&C infrastructure. The intricate setup of this malicious operation complicates detection and takedown efforts, as the malware awaits further instructions embedded within the profile information of the social media platform.
To mitigate the risks posed by deceptive schemes like FizzBuzz and FogDoor, the researchers offer several recommendations, such as verifying job offers and coding challenges from reputable sources and refraining from downloading files from unknown repositories. Additionally, implementing security measures like application whitelisting, monitoring outbound connections to unusual domains, and safeguarding browser-stored credentials with multi-factor authentication are essential steps in fortifying defenses against such cyber threats.
For a more in-depth analysis of the campaign, including detection rules, indicators of compromise, and MITRE ATT&CK techniques, interested parties can refer to the comprehensive insights provided in the Cyble blog. Stay vigilant and informed to combat the growing menace of hiring scams and cyberattacks plaguing the digital landscape.