Researchers has discovered a sophisticated malware operation that poses as a fake coding challenge and targets Polish-speaking professionals.
This campaign, known as “FizzBuzz to FogDoor,” exploits job seekers by disguising malware as legitimate recruitment tests on GitHub.
The attackers use a GitHub repository named “FizzBuzz” to host an ISO file titled “Zadanie rekrutacyjne.iso,” which translates to “recruitment task” in Polish.
This file contains a seemingly harmless JavaScript exercise and a malicious LNK shortcut.
Upon execution, the LNK file triggers a PowerShell script that installs a stealthy backdoor called “FogDoor,” designed for data theft and remote command execution.
The Infection Chain explains, which shows how infections spread through six links: the infectious agent, reservoir, portal of exit, mode of transmission, portal of entry, and a susceptible host. If any link is broken, the spread of infection can be prevented.
Technical Analysis of the Malware
The PowerShell script, once executed, checks for a decoy file named “README.txt” to ensure it runs only once on the victim’s machine.
If the file is missing, it downloads and opens it, making the script appear harmless while it executes malicious activities.
The script then downloads an executable named “SkyWatchWeather.exe” and creates a scheduled task to maintain persistence.
According to the Report, this backdoor uses a social media platform to retrieve commands via a Dead Drop Resolver (DDR) technique, making detection more challenging.
It extracts browser cookies, Wi-Fi credentials, and system data, staging them for exfiltration before deleting traces to avoid detection.
The malware employs geofencing to restrict its execution to Polish victims, ensuring a targeted impact.
It systematically steals browser cookies, Wi-Fi credentials, and system data, compresses them into a zip file, and uploads it to a file-sharing service.
The attackers use temporary webhook services to notify them of the upload, allowing them to retrieve the stolen data.
The campaign is evolving, with recent discoveries indicating an expansion beyond recruitment scams to include invoice-themed attacks using the same tactics and infrastructure.
Recommendations for Developers
To protect against such threats, developers should be cautious when downloading files from unverified sources, especially those shared via social media or job forums.
Legitimate hiring assessments do not require executing system-level scripts. Implementing policies to restrict PowerShell and JavaScript execution unless explicitly required can help prevent unauthorized execution.
Advanced endpoint detection and response solutions can identify suspicious behavior, such as unauthorized script execution or browser data access.
Educating employees about social engineering risks and keeping software up to date are also crucial steps in minimizing vulnerability to these attacks.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free
