FIN6 (aka Camouflage Tempest, Gold Franklin, or Skeleton Spider) is a financially motivated cybercrime group active since 2012, initially targeting point-of-sale systems to steal payment card data. Recently, they’ve adopted a novel attack vector using AWS-hosted fake resumes on LinkedIn to deliver More_eggs malware, specifically targeting corporate recruiters.
Tactics and Techniques
- Social Engineering via Recruitment Platforms
• Posing as job seekers, FIN6 operatives connect with recruiters on LinkedIn and Indeed
• After establishing rapport, they send phishing messages containing links to malicious resumes
• Resumes are hosted on AWS infrastructure to appear legitimate and bypass security filters
Malware Delivery Chain
- Recruiter clicks AWS-hosted resume link
- Downloads ZIP file containing malicious WSF/JScript
- Executes More_eggs backdoor → system compromise
More_eggs Malware Capabilities
• JavaScript-based backdoor developed by Golden Chickens/Venom Spider group
Key functions
• Credential theft via browser memory scraping
• Lateral movement through TerraLoader component
• Ransomware deployment infrastructure
Historical Context and Evolution
This shift to abusing recruitment workflows demonstrates FIN6’s adaptation to security improvements in payment systems. The AWS infrastructure use complicates detection, as legitimate cloud services often bypass traditional security alerts.
Mitigation Recommendations
• Resume Verification: Implement sandbox analysis for all external document downloads
• Cloud Monitoring: Enable AWS GuardDuty and inspect S3 bucket access patterns
• Endpoint Protection: Deploy behavioral analysis tools to detect JS-based backdoors
The group’s continued innovation highlights the need for defense-in-depth strategies against social engineering attacks, particularly in HR and recruitment functions.
