Cyber experts have identified a mail scam propagating the More_Eggs malware by presenting it as a curriculum vitae, a method initially spotted over two years back.
The failed attempt aimed at an undisclosed enterprise in the manufacturing services field in May 2024 was outlined by Canadian online security company eSentire revealed last week.
“In particular, the targeted person was a recruiter who got fooled by the hacker into assuming they were a job seeker and enticed them to their portal for the downloader,” as per the statement.
More_Eggs, believed to be crafted by a hacker group referred to as the Golden Chickens (also known as Venom Spider), is a flexible backdoor capable of collecting confidential data. It’s accessible to other criminal groups under a Malware-as-a-Service (MaaS) framework.
Last year, eSentire disclosed the identities of two individuals – Chuck from Montreal and Jack – believed to be managing the operation.
The latest chain of assaults involves the malicious parties reacting to LinkedIn job listings with a URL to a sham resume download site that eventually results in the download of a sneaky Windows Shortcut file (LNK).
It’s noteworthy that prior More_Eggs activities have targeted professionals on LinkedIn with malicious job invitations to deceive them into downloading the malware.
“Visiting the same link later shows the person’s CV in simple HTML, without any hint of a redirect or download,” eSentire mentioned.
The LNK file is then deployed to fetch a dangerous DLL by utilizing a legitimate Microsoft tool named ie4uinit.exe. Following this, the library is run using regsvr32.exe to establish continuity, collect details about the affected system, and deploy further payloads, including the JavaScript-based More_Eggs backdoor.
“More_Eggs operations are still ongoing, and their agents persist in using social manipulation techniques like pretending to be job hunters seeking to apply for a specific position, and enticing victims (especially recruiters) to download their malware,” stated eSentire.
“Furthermore, operations like More_Eggs, which leverage the MaaS service, seem to be infrequent and selective in comparison to conventional malicious email distribution systems.”
The revelation arrives as the security company also shared information about a drive-by download campaign employing counterfeit websites for the KMSPico Windows activation tool to distribute the Vidar Stealer.
“The kmspico[.]ws site is hidden behind Cloudflare Turnstile and mandates human interaction (inputting a code) to download the final ZIP package,” eSentire pointed out. “These steps differ from a regular program download page and are designed to conceal the page and end payload from automated web crawlers.”
Similar social manipulation initiatives have also set up imitative websites mimicking authentic software like Advanced IP Scanner to deploy Cobalt Strike, as stated by Trustwave SpiderLabs mentioned last week.
This follows the emergence of a new phishing kit known as V3B used to target bank clients in the EU with the aim of stealing login credentials and OTPs.
This tool, available for $130-$450 per month through a Phishing-as-a-Service (PhaaS) model on the darknet and a dedicated Telegram channel, has reportedly been operational since March 2023. It caters to over 54 banks across Austria, Belgium, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, and the Netherlands.
An essential aspect of V3B is its customization and localized templates to mirror various authentication and verification procedures typical to online banking and e-commerce systems in the region.
It also possesses advanced functions to converse with victims in real-time and secure their OTPs and PhotoTAN codes, along with executing a QR code login hijacking (also known as QRLJacking) on platforms like WhatsApp that allow QR code sign-ins.
“They have established a client base focused on attacking European financial establishments,” Resecurity stated. “At present, it is estimated that hundreds of cybercriminals are leveraging this kit for fraudulent activities, leading to victims with drained bank funds.”
About Author
