Threat actors constantly improve their tactics and are always on the hunt for technical or social vulnerabilities they can exploit. The pandemic-induced Great Resignation, massive layoffs, continuous company restructuring, and upcoming holidays make this a very busy time of changes in the labor force.
Due to this upheaval, employees are always on the lookout for any updates from their Human Resources (HR) department, as HR often sends updates or notifications via company-wide email. Cybercriminals have picked up on this, and we are now seeing waves of different spam campaigns exploiting HR-related topics, a rather innovative and irresistible lure.
Fraudsters are pretending to be HR representatives and sending malicious emails with links that lead to phishing sites or attachments that can download malware. Over the past six months, we have seen a notable increase in HR-related malicious spam, which is expected to continue even after the holidays.
Figure 1 Daily Graph of HR-Themed Spam
On average, we are seeing about 200 emails per day in MailMarshal Cloud related to these lures. In early November, submissions spiked, reaching more than 1,400 malicious emails in one day.
Below are some recent campaigns that use HR-related themes, along with their context and a run-through of their attack flow.
Annual Leave Compliance
The holidays are just about here, and employees look forward to their much-anticipated vacations. Factors such as remaining leave credits and staffing schedules need to be settled, and employers retain the discretion to decline or revoke holiday leave requests.
The email below claims to be from the recipient’s HR department and contains a link for a supposed leave compliance report. The email purports to be a report shared through SharePoint, a Microsoft web-based platform commonly used for collaborative content management and sharing.
Figure 2 Leave Compliance Report Spam
Examining the email header, we see that the fraudsters used “[Company Name] HR Department” as the sender’s name to make the content more convincing and credible. However, the sender domain is newly created and does not correspond to the company. The Importance setting is also set to “High,” which marks the message as urgent and needs immediate attention.
The "View File" button in the email body leads to a Chameleon phishing site hosted in CloudFlare's R2. Chameleon websites can adapt the background and logo of their page depending on the victim's information. This is made possible by collecting the domain name from the victim's email address and scraping the background image and logo from the legitimate website they are impersonating. Attackers then incorporate these on the phishing site so when it fully loads, it will resemble the real one.
Figure 3 Chameleon Phishing Website With testme.com vs google.com as Inputs
With this clever technique, attackers can deceive unsuspecting users into thinking the page they're accessing is legitimate and then proceed to steal their credentials. This system is a versatile disguise since it can adapt to the user's email address, unlike other phishing sites that focus only on impersonating one brand.
Termination List
Layoffs in the tech industry are making headlines, with more than 240,000 workers being impacted, according to a tech layoff tracker. From the biggest names in the industry down to start-ups, companies are grappling with extensive workforce downsizing. The use of email for layoff notifications invariably comes as a shock to the employees and is guaranteed to get the reader's attention. Phishers are taking advantage of this and crafting malicious emails with this lure.
Our example below shows a phishing email containing a link that leads to a supposed staff termination list. Like our previous example, this email claims to be sent by the company's HR representative. However, the sender domain does not correspond to the recipient's company.
Figure 4 Employee Termination List Spam
The email instructs the recipient to find their name on the termination list, compelling them to click on the link. Messages of this nature can trigger anxiety and might divert their attention from the fact that the URL indicated in the email does not correspond to the actual link embedded in the message.
Figure 5 HTML Code of The Email Body (With Redacted Information in Brackets)
In the email's HTML code, the content features the text: '{Company Name} Staff Employment Termination lists and new administrative position and transfers/{Company Name}/company/employees.xls.' This file path, however, does not correspond to any authentic company asset or location, nor does it adhere to standard URL formatting. Instead, it has been created solely for the purpose of creating a false sense of legitimacy within the email.
The actual link is another phishing site hosted in Cloudflare’s R2. When clicked, it leads to a bogus Outlook login page.
Figure 6 Phishing Site Impersonating Outlook
After the victim enters their credentials, the page will display an error message "The username or password you entered isn't correct. Try entering it again." Attackers sometimes design their phishing websites to ask for the victim's credentials multiple times to confirm the accuracy of the information or to potentially gather alternative passwords. After three tries, the website redirects to a bogus but benign PDF vacation request form, which obviously is not related to the topic, and there is, in fact, no termination list.
Figure 7 Landing Page After the Credentials Are Collected
Employee Satisfaction Report
Employee satisfaction drives performance. Employees who are happy or content excel in their roles, leading to increased employee retention. Maintaining or improving the well-being of staff is part of HR’s job, and to do so, they conduct interviews, surveys, and evaluations to gauge employee satisfaction.
In the phishing email below, fraudsters pretend to be an “HR Guru” who is sharing the result of an employee satisfaction evaluation. Along with these findings, included are recommendations to improve the morale of the staff.
Figure 8 Phishing Email Disguised as Employee Satisfaction Report
The embedded link in the email is a URL redirector hosted by Zoho Campaigns, an email marketing service. Threat actors often exploit services such as these to distribute different kinds of spam. The link then redirects to an online form created using Formstack. Formstack, on the other hand, is a form builder. Form builders are popular in phishing campaigns since they are easy to set up, and there are many free or affordable form builder services.
Once the Formstack website loads, it will greet you with a welcome page that has a start button.
Figure 9 Formstack Welcome Page
Clicking this button will lead to a form where the adversary asks the victims to enter their login details, such as name, corporate email address, and job title. The last field is called “Authenticate Submission,” where they are instructed to enter their password.
Figure 10 Actual Phishing Form
This redirection chain is seen in other HR-themed phishing emails too. It can be summarized in 4 steps.
Figure 11 Phishing Redirection Chain
Placing the information collection form behind a “welcome page” is a cunning tactic to hide phishing contents and avoid detection. By concealing the actual phishing form behind this initial welcome page, the threat actors are trying to shield it from being flagged by security crawlers. The welcome page itself is just a logo and a button, which may lead security crawlers to perceive it as a benign, non-malicious website.
Employee Handbook Acknowledgement
An employee handbook or manual gives a detailed overview of a company's mission, values, and policies. This manual is often given to employees during the onboarding process and regularly updated with new policies and regulations. Due to its significance, threat actors may exploit these types of documents or usually impersonate them as enticing lures for phishing purposes.
Below is a phishing email with a file attachment claiming to contain the company's complete employee handbook. Sent by a fake "HR Management" email address, this email contains a heavily obfuscated html attachment.
Figure 12 Fake Employee Handbook Spam
The subject and the attachment file name contain the date of email delivery, suggesting that this is the latest version of the handbook.
The attachment uses multiple obfuscation techniques, such as base64 string encryption, variable renaming, and control flow flattening to hide the URL redirection behavior.
Figure 13 The Entire obfuscated HTML Attachment Code
Once the script is decoded, it will open a phishing site with a CAPTCHA test to verify the user is human. This is another technique to hide the phishing content and avoid detection. Since CAPTCHA is designed to block automated bots, malicious sites use them to prevent security crawlers from analyzing and flagging their contents.
Figure 14 The Decoded Webpage Containing a CAPTCHA Test
Once you pass the CAPTCHA test, it will redirect to a bogus Microsoft login page. This initial page is served before loading the actual phishing site gives the illusion that the user is accessing a legitimate Microsoft app.
Figure 15 Fake Microsoft Login Site
This site is short lived and will redirect to the final landing page and is in fact just another fake Microsoft login page made to look like it was hosted via GoDaddy.
Figure 16 Final Landing Page
A confidentiality agreement, also known as a non-disclosure agreement (NDA), is a legally binding contract between an employer and an employee. Its purpose is to prevent disclosure of sensitive company information, trade secrets, and other proprietary data to unauthorized parties. Any employee who has access to sensitive information is often required to sign a confidentiality agreement. This is the lure used in our final example below.
The sender, pretending to be the HR director, is urging the recipient to sign what appears to be a confidentiality agreement. The email's tone manifests a sense of urgency, with the sender explicitly requesting "prompt attention." A 7zip file attachment was included in the email, which purportedly contains the Confidentiality Agreement document.
Figure 17 Fake Confidentiality Agreement Email
Inside the encrypted attachment is a VBE file, an executable script written in VBScript. It is named "Confidentiality Agreement form," a deliberate attempt to present itself as legitimate.
Figure 18 Malicious VBE Downloader Inside a 7z
Once the VBE file is opened, it will be executed through Windows Script (wscript.exe) which will decode its obfuscated functions. Once finished, it will execute a PowerShell command using the newly-deobfuscated code which will then download Remcos and GuLoader malware into the victims computer.
Figure 19 Malware Infection Chain
Remcos or Remote Control and Surveillance is a Remote Access Trojan (RAT) that grants the attacker full control over the infected computer and has been used in multiple cyberattacks. GuLoader is a shellcode-based downloader used by threat actors to distribute other shellcode and malware such as ransomware and banking trojans.
Conclusion
Cybercriminals continuously find new techniques and lures to steal credentials. This article notes that attackers are incorporating creative HR-related themes into their spam emails. By using social engineering, data obfuscation, and a timely and personal subject matter, these cyberattacks pose a significant risk to employees. Targeted victims are likelier to engage with malicious emails due to excitement over holiday vacations or fear of being laid off. Our analysis also finds that attackers have been actively leveraging techniques such as hidden phishing websites and obfuscated file attachments to avoid detection, therefore increasing the chances of getting more victim data.
We urge everyone to exercise extreme caution and stay up to date with the latest threats to avoid falling for these nefarious schemes.
IoC
hxxps://pub-d6a35764152345299e690fcaba91066e[.]r2[.]dev/rugaind.html#
hxxps://m[.]addthis[.]com/live/redirect/?url=https://bafybeidobzpdgxhc4eotu5kbojpfltyd4sjsn5gxqbp35k32ymhtibeucy[.]ipfs[.]dweb[.]link/rfq_2023[.]html/#
hxxps://xpncsep-zgpm[.]maillist-manage[.]com/click/1107d8d15757f4535/1107d8d15757e8355
hxxps://caduceusmedical[.]formstack[.]com/forms/boosting_employee_satisfaction
hxxps://twwhvw[.]ujuandjule[.]ru/gqzffy/#
f0b45089d8e6d329a1aecbc9c436faa2
c8c95a6a387113ef7117097bdc75b6e8
67b7b52e818256c024ba7704f5e1fc8d
Attribution: Icons used in flow charts are from Flaticon.com
