[Source – bankinfosecurity.com]
A recent spear-phishing campaign has surfaced, targeting recruiters with a JavaScript backdoor known as More_eggs, delivered through fake job applications. This targeted attack highlights the ongoing threats posed to the recruitment sector by cybercriminal groups using advanced malware disguised as legitimate files.
Recruitment Officers Tricked with Malicious Resumes
Researchers at Trend Micro have reported that a spear-phishing email lured a recruitment officer into downloading a malicious file disguised as a resume. This file, once executed, infected the system with the More_eggs backdoor, a malware-as-a-service (MaaS) used to steal credentials, including sensitive information from bank accounts and IT admin accounts.
The More_eggs malware is attributed to the Golden Chickens group, also known as Venom Spider. This group is linked to various e-crime syndicates like FIN6, Cobalt, and Evilnum, which use malware to infiltrate systems and steal sensitive data. The attack represents a continuation of a pattern first observed by eSentire in June, which involved the use of LinkedIn to distribute fake resumes containing malware-laden Windows shortcut (LNK) files.
Evolving Tactics and Techniques
While earlier attacks targeted recruiters via LinkedIn, this campaign shows a slight evolution in tactics. In late August 2024, attackers sent a spear-phishing campaign email to a talent search lead in the engineering sector. The email contained a link to a site where a supposed resume could be downloaded. The recruitment officer, using Google Chrome, downloaded a ZIP file named “John Cboins.zip” from the URL, unknowingly initiating the infection process.
The malicious site, johncboins[.]com featured a “Download CV” button designed to trick the user into downloading a ZIP archive containing the LNK file. When opened, the LNK file triggered obfuscated commands, which executed a malicious DLL. This ultimately deployed the More_eggs backdoor, allowing the attackers to gain access to the compromised system, perform reconnaissance, and communicate with a command-and-control (C2) server to execute further malicious activities.
Trend Micro also discovered that the attackers used PowerShell and Visual Basic Script (VBS) components as part of the infection chain, further complicating efforts to track the responsible actors.
Cybercrime Groups Use Advanced Tools for Wider Attacks
The use of MaaS complicates the attribution of attacks, as multiple groups can use the same infrastructure and tools provided by services like those from Golden Chickens. FIN6 is suspected to be behind the attack based on the tactics and techniques used, but other groups could also be responsible due to the widespread use of MaaS.
Create a phishing site in 4 minutes?? | Suprisingly easy and convenient
This spear-phishing campaign follows recent revelations about other cybercrime activities. HarfangLab recently exposed the use of a private packer, PackXOR, by the FIN7 group to encrypt and obfuscate malware like AvNeutralizer. FIN7 actors have also been found using honeypot domains to target users searching for AI-powered deepfake generators, tricking them into downloading malicious software like Lumma Stealer and ransomware.
In parallel, cybersecurity company Silent Push has identified ongoing FIN7 campaigns that deliver malware through websites mimicking trusted brands like Microsoft and SAP Concur. These sites deceive users into downloading browser extensions or software updates, which install the NetSupport RAT, providing attackers with remote access to victims’ systems.
With cybercriminals continuously refining their tactics and adopting sophisticated tools like More_eggs, organizations across all sectors must remain vigilant and take proactive measures to defend against these evolving threats.
