Skeleton Spider, also known as FIN6, is a financially motivated cybercrime group that has transitioned from primarily targeting point-of-sale (POS) systems to launching broader enterprise-level attacks. Their current modus operandi involves sophisticated social engineering campaigns, notably posing as job seekers on professional networking platforms like LinkedIn. They send phishing emails impersonating job applicants, using domains that closely mimic legitimate names to increase credibility. The payload of choice is the more_eggs malware, a JavaScript-based backdoor developed by the Venom Spider group. This malware enables attackers to execute arbitrary commands and steal credentials from compromised systems. A notable aspect of this threat is the use of trusted cloud infrastructure, specifically Amazon Web Services (AWS), to host malicious components. This tactic helps evade traditional detection mechanisms that might block known malicious IPs or domains. FIN6 also employs advanced filtering techniques to ensure that their malware is delivered only to intended targets, reducing noise and increasing the likelihood of successful compromise. The attack chain involves phishing with resume lures containing links or attachments that, when interacted with, lead to the execution of the more_eggs backdoor. The malware leverages various techniques such as process injection, persistence mechanisms, and command and control communications over legitimate protocols to maintain stealth and persistence within victim environments. The group’s use of cloud services and evasion tactics complicates detection and response efforts. Defensive measures recommended include heightened scrutiny of unsolicited resume links, blocking execution of suspicious JavaScript files, and deploying Endpoint Detection and Response (EDR) solutions with policies tuned to detect behaviors associated with more_eggs and related tactics.

For European organizations, the threat posed by Skeleton Spider is significant due to the potential for credential theft, unauthorized command execution, and persistent backdoor access. Financially motivated attacks can lead to direct monetary losses, data breaches involving sensitive customer or employee information, and disruption of business operations. The use of trusted cloud services for malware hosting complicates detection, increasing the risk of prolonged undetected presence in networks. Credential theft can facilitate lateral movement and privilege escalation, potentially exposing critical systems and data. Organizations in sectors such as finance, retail, and professional services are particularly at risk given the group’s historical targeting patterns and the value of credentials in these environments. Additionally, the social engineering vector leveraging job seeker personas may be especially effective in Europe’s competitive job markets, increasing the likelihood of successful phishing. The medium severity rating reflects the combination of sophisticated tactics and the potential for impactful outcomes if defenses are not properly implemented.

1. Implement strict email filtering rules that flag or quarantine messages containing unsolicited resume attachments or links, especially those originating from new or unverified domains. 2. Conduct targeted user awareness training focused on recognizing social engineering tactics involving job applications and resume lures. 3. Restrict execution of JavaScript files received via email or downloaded from untrusted sources using application whitelisting or execution policies. 4. Deploy and fine-tune Endpoint Detection and Response (EDR) solutions to detect behaviors associated with more_eggs malware, such as unusual command execution patterns, process injection, and persistence mechanisms. 5. Monitor network traffic for connections to cloud service providers like AWS that are unusual or not aligned with normal business operations, using threat intelligence feeds to identify suspicious domains or IPs. 6. Enforce multi-factor authentication (MFA) to reduce the impact of credential theft. 7. Maintain up-to-date asset inventories and conduct regular threat hunting exercises focused on detecting stealthy backdoors and lateral movement. 8. Collaborate with cybersecurity information sharing organizations to stay informed about emerging tactics used by FIN6 and related groups.