More_eggs Malware: A Resume to Deceive Recruiters in Sophisticated Phishing Schemes

“More_eggs Malware: A Resume to Deceive Recruiters in Sophisticated Phishing Schemes”

More_eggs Malware Disguised as Resumes Targets Recruiters in Phishing Attack

The More_eggs malware has once again reared its ugly head, this time targeting recruiters in a sophisticated phishing attack. Cybersecurity researchers at eSentire have disclosed that an industrial services company was the target of this attack in May 2024.

The attack involved a recruiter being deceived by a threat actor into believing they were a job applicant, luring them to a website to download what they thought was a resume. Instead, the recruiter unknowingly downloaded the More_eggs malware, a modular backdoor capable of harvesting sensitive information.

More_eggs is believed to be the work of a threat actor known as the Golden Chickens, also referred to as Venom Spider. This malware is offered to other criminal actors under a Malware-as-a-Service (MaaS) model. In the past, eSentire has unmasked the real-world identities of two individuals, Chuck from Montreal and Jack, who are said to be running the operation.

The attack chain involves the malicious actors responding to LinkedIn job postings with a link to a fake resume download site. When the recruiter clicks on the link, they are prompted to download a malicious Windows Shortcut file (LNK). This file is then used to retrieve a malicious DLL by leveraging a legitimate Microsoft program called ie4uinit.exe. The library is executed using regsvr32.exe to establish persistence, gather data about the infected host, and drop additional payloads, including the JavaScript-based More_eggs backdoor.

It is important to note that More_eggs campaigns are still active, and their operators continue to use social engineering tactics to lure victims, specifically recruiters, into downloading their malware. These campaigns are sparse and selective compared to typical malspam distribution networks.

This recent development comes as eSentire also revealed details of a drive-by download campaign that employs fake websites for the KMSPico Windows activator tool to distribute Vidar Stealer. The fake website requires human input to download the final ZIP package, a tactic used to hide the page and final payload from automated web crawlers.

Similar social engineering campaigns have also set up lookalike sites impersonating legitimate software like Advanced IP Scanner to deploy Cobalt Strike. Trustwave SpiderLabs disclosed this information last week. This follows the emergence of a new phishing kit called V3B, which targets banking customers in the European Union with the goal of stealing credentials and one-time passwords (OTPs).

The V3B kit is offered through a Phishing-as-a-Service (PhaaS) model on the dark web and a dedicated Telegram channel. It has been active since March 2023 and is designed to support over 54 banks located in various European countries. The kit features customized and localized templates to mimic various authentication and verification processes common to online banking and e-commerce systems in the region. It also comes with advanced capabilities to interact with victims in real-time and get their OTP and PhotoTAN codes, as well as execute a QR code login jacking attack on services such as WhatsApp.

Cybercriminals have built a client base focused on targeting European financial institutions using this kit. It is estimated that hundreds of cybercriminals are using this kit to commit fraud, leaving victims with empty bank accounts.

The More_eggs malware disguised as resumes targeting recruiters in a phishing attack is a reminder of the ever-evolving tactics used by cybercriminals. It is crucial for individuals and organizations to stay vigilant and implement robust cybersecurity measures to protect against such sophisticated attacks.


  • Related Posts

    Rust Programming Language: A Magnet for Cyber Attackers

    “Rust: The New Frontier for Cyber Attackers Seeking Robust and Efficient Exploitation Opportunities” The Rise of Rust: Why

    Read more

    Cyber Attack on MARINA on Sunday

    “MARINA swiftly recovers from cyber attack, ensuring maritime industry data security and resuming operations within 48 hours.” Cyber

    Read more

    Leave a Reply