An email phishing campaign has been detected that is targeting recruiters using a JavaScript backdoor known as More_eggs. This indicates ongoing attempts to focus on the industry by masquerading as sham job applicants.
“An elaborate phishing ploy duped a recruitment officer into downloading and running a malicious file disguised as a CV, resulting in a more_eggs backdoor infiltration,” explained researchers Ryan Soliven, Maria Emreen Viray, and Fe Cureg from Trend Micro in an analysis they published.
More_eggs, marketed as malware-as-a-service (MaaS), is a harmful software equipped to extract credentials such as those linked to online banking accounts, email accounts, and IT administrator accounts.
This malware is associated with a hacking group called the Golden Chickens (also known as Venom Spider), and has been utilized by various other cybercrime gangs like FIN6 (also recognized as ITG08), Cobalt, and Evilnum.
In June, eSentire revealed details of a comparable attack that uses LinkedIn as a platform to distribute fake resumes hosted on a site managed by the attackers. The documents, in reality, are Windows shortcut (LNK) files that, upon opening, trigger the contamination process.
The latest discoveries by Trend Micro indicate a slight shift from previous observed patterns, as the threat actors sent a targeted email likely to develop trust and gain the victims’ confidence. The incident occurred in late August 2024 and targeted a lead talent scout in the engineering field.
“Not long after, a recruitment officer downloaded an alleged resume named John Cboins.zip from a link using Google Chrome,” the researchers recollected. “It remains unknown where this user acquired the link. Nevertheless, it was evident from their actions that they were seeking an internal sales engineer.”
The mentioned URL, johncboins[.]com, features a “Download CV” option to lure the victim into downloading a ZIP archive file containing the LNK file. It’s important to note that the attack flow identified by eSentire also encompasses a similar site with a comparable button that instantly downloads the LNK file.
Clicking the LNK file triggers obfuscated commands leading to the execution of a malicious DLL, which is responsible for deploying the More_eggs backdoor through a launcher.
More_eggs starts its operations by initially checking whether it’s operating with admin or user privileges, then executing a sequence of commands to conduct reconnaissance on the breached host. It then communicates with a command-and-control (C2) server to receive and implement additional malware payloads.
Trend Micro mentioned the observation of a different version of the campaign that integrates PowerShell and Visual Basic Script (VBS) elements into the infection process.
“Identifying the origin of these attacks is tough due to the nature of MaaS, which enables the outsourcing of various attack elements and infrastructure,” they stated. “This complexity makes it challenging to pinpoint specific threat actors, as multiple groups can utilize the same toolkits and infrastructure provided by services similar to those from Golden Chickens.”
Despite this, it is suspected that the incident could have been orchestrated by FIN6, the firm indicated, based on the tactics, techniques, and procedures (TTPs) utilized.
These developments come following revelations by HarfangLab about PackXOR, a private packing tool used by the FIN7 cybercrime group to encrypt and obscure the AvNeutralizer utility.
The French cyber defense company noted that the same packing tool was employed to “safeguard unrelated payloads” such as the XMRig cryptocurrency miner and the r77 rootkit, raising the possibility that it may be adopted by other threat actors as well.
“While developers of PackXOR may have ties to the FIN7 organization, the tool seems to be used for activities unrelated to FIN7,” clarified HarfangLab in a statement.
About Author
