close
close

Phishing attack: More_eggs malware disguised as a resume targets recruiters

June 10, 2024Press releasePhishing attack / cybercrime

Cybersecurity researchers have discovered a phishing attack that spreads the “More_eggs” malware by disguising it as a resume. This technique was first discovered over two years ago.

The unsuccessful attack targeted an unnamed industrial services company in May 2024, Canadian cybersecurity firm eSentire announced last week.

“Specifically, the target was a recruiter who the threat actor deceived into believing he was a job applicant and lured him to his website to download the loader,” it said.

More_eggs, believed to be the work of a threat actor known as Golden Chickens (also known as Venom Spider), is a modular backdoor capable of gathering sensitive information and is offered to other criminal actors under a malware-as-a-service (MaaS) model.

Last year, eSentire uncovered the real identities of two people – Chuck from Montreal and Jack – who were said to be running the operation.

The latest attack chain involves malicious actors responding to LinkedIn job postings with a link to a fake resume download website, which results in the download of a malicious Windows shortcut (LNK) file.

Internet security

It is worth noting that More_eggs’ previous activities aimed at tricking professionals on LinkedIn into downloading the malware by displaying spoofed job advertisements.

“If you navigate to the same URL days later, the person’s resume will be displayed in plain HTML format, with no indication of a redirect or download,” eSentire noted.

The LNK file is then used to obtain a malicious DLL by exploiting a legitimate Microsoft program called ie4uinit.exe. The library is then executed using regsvr32.exe to establish persistence, collect data about the infected host, and drop additional payloads, including the JavaScript-based More_eggs backdoor.

“More_eggs campaigns are still active and their operators continue to use social engineering tactics. For example, they impersonate applicants who want to apply for a specific job and trick victims (especially recruiters) into downloading their malware,” eSentire said.

“In addition, campaigns like more_eggs that leverage the MaaS offering appear to be sparse and selective compared to typical malspam distribution networks.”

Along with this development, the cybersecurity company also revealed details of a drive-by download campaign that uses fake websites for the Windows activation tool KMSPico to distribute Vidar Stealer.

Phishing attack

“The kmspico(.)ws site is hosted behind Cloudflare Turnstile and requires human input (entering a code) to download the final ZIP package,” noted eSentire. “These steps are unusual for a legitimate application download page and are performed to hide the page and final payload from automated web crawlers.”

Similar social engineering campaigns have also involved setting up fake websites posing as legitimate software such as Advanced IP Scanner to deploy Cobalt Strike, Trustwave SpiderLabs said last week.

Furthermore, it follows the emergence of a new phishing kit called V3B, which is being used to target banking customers in the European Union and steal their login credentials and one-time passwords (OTPs).

Internet security

The kit, which is offered via a phishing-as-a-service (PhaaS) model on the dark web and a dedicated Telegram channel for $130 to $450 per month, is said to have been active since March 2023. It is said to support over 54 banks in Austria, Belgium, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg and the Netherlands.

The most important aspect of V3B is that it provides customized and localized templates to replicate various authentication and verification processes common in online banking and e-commerce systems in the region.

The malware also offers advanced features to interact with victims in real time and retrieve their OTP and PhotoTAN codes. In addition, it can perform a QR code login jacking attack (also called QRLJacking) on ​​services such as WhatsApp that allow login via QR codes.

“They have since built a customer base focused on European financial institutions,” Resecurity said. “Currently, it is estimated that hundreds of cybercriminals are using this kit to commit fraud, leaving victims with empty bank accounts.”

Did you find this article interesting? Follow us on Þjórsárden and LinkedIn to read more exclusive content we publish.