A spear-phishing e-mail marketing campaign has been noticed concentrating on recruiters with a JavaScript backdoor referred to as More_eggs, indicating persistent efforts to single out the sector underneath the guise of faux job applicant lures.
“A sophisticated spear-phishing lure tricked a recruitment officer into downloading and executing a malicious file disguised as a resume, leading to a more_eggs backdoor infection,” Pattern Micro researchers Ryan Soliven, Maria Emreen Viray, and Fe Cureg mentioned in an evaluation.
More_eggs, offered as a malware-as-a-service (MaaS), is a malicious software program that comes with capabilities to siphon credentials, together with these associated to on-line financial institution accounts, e-mail accounts, and IT administrator accounts.
It is attributed to a menace actor referred to as the Golden Chickens group (aka Venom Spider), and has been put to make use of by a number of different e-crime teams like FIN6 (aka ITG08), Cobalt, and Evilnum.
Earlier this June, eSentire disclosed particulars of the same assault that leverages LinkedIn as a distribution vector for phony resumes hosted on an attacker-controlled web site. The information, in actuality, are Home windows shortcut (LNK) information that, upon opening, set off the an infection sequence.
The newest findings from Pattern Micro mark a slight deviation from the sooner noticed sample in that the menace actors despatched a spear-phishing e-mail in a probable try and construct belief and acquire their confidence. The assault was noticed in late August 2024, concentrating on a expertise search lead working within the engineering sector.
“Shortly after, a recruitment officer downloaded a supposed resume, John Cboins.zip, from a URL using Google Chrome,” the researchers mentioned. “It was not determined where this user obtained the URL. However, it was clear from both users’ activities that they were looking for an inside sales engineer.”
The URL in query, johncboins[.]com, comprises a “Download CV” button to entice the sufferer into downloading a ZIP archive file containing the LNK file. It is value noting that the assault chain reported by eSentire additionally consists of an an identical web site with the same button that immediately downloads the LNK file.
Double-clicking the LNK file ends in the execution of obfuscated instructions that result in the execution of a malicious DLL, which, in flip, is answerable for dropping the More_eggs backdoor by way of a launcher.
More_eggs commences its actions by first checking if it is operating with admin or person privileges, adopted by operating a collection of instructions to carry out reconnaissance of the compromised host. It subsequently beacons to a command-and-control (C2) server to obtain and execute secondary malware payloads.
Pattern Micro mentioned it noticed one other variation of the marketing campaign that features PowerShell and Visible Fundamental Script (VBS) parts as a part of the an infection course of.
“Attributing these attacks is challenging due to the nature of MaaS, which allows for the outsourcing of various attack components and infrastructure,” it mentioned. “This makes it difficult to pin down specific threat actors, as multiple groups can use the same toolkits and infrastructure provided by services like those offered by Golden Chickens.”
That mentioned, it is suspected that the assault may have been the work of FIN6, the corporate famous, citing the techniques, strategies, and procedures (TTPs) employed.
The event comes weeks after HarfangLab make clear PackXOR, a non-public packer utilized by the FIN7 cybercrime group to encrypt and obfuscate the AvNeutralizer instrument.
The French cybersecurity agency mentioned it noticed the identical packer getting used to “protect unrelated payloads” such because the XMRig cryptocurrency miner and the r77 rootkit, elevating the likelihood that it is also leveraged by different menace actors.
“PackXOR developers might indeed be connected to the FIN7 cluster, but the packer appears to be used for activities that are not related to FIN7,” HarfangLab mentioned.
