Cybersecurity researchers have recently discovered a phishing attack that involves distributing the More_eggs malware disguised as a resume, a tactic first identified over two years ago.
The unsuccessful attack targeted an undisclosed company in the industrial services sector in May 2024, as revealed by Canadian cybersecurity firm eSentire in a recent publication.
The firm stated, “Specifically, the targeted individual was a recruiter who was tricked by the threat actor into believing they were a job applicant, leading them to a website to download the loader.”
More_eggs, suspected to be the product of a threat actor group known as the Golden Chickens (or Venom Spider), functions as a modular backdoor capable of extracting sensitive data and is available to other cybercriminals through a Malware-as-a-Service (MaaS) model.
Esentire previously unveiled the true identities of two individuals involved in the operation, known as “Chuck from Montreal” and “Jack,” in a prior investigation.
The latest attack strategy involves malicious actors responding to job postings on LinkedIn by providing a link to a fake resume download page, leading to the retrieval of a malicious Windows Shortcut file (LNK).
Interestingly, previous instances of More_eggs activity have targeted LinkedIn professionals with fake job offers to deceive them into downloading the malware.
According to eSentire, “Visiting the same URL days later displays the individual’s resume in plain HTML, without any indication of a redirect or download.”
The LNK file is then used to obtain a malicious DLL by leveraging the legitimate Microsoft program ie4uinit.exe, followed by running the library using regsvr32.exe to establish persistence, collect information about the infected host, and deploy additional payloads like the Javascript-based More_eggs backdoor.
eSentire mentioned, “More_eggs campaigns are ongoing, with the operators continuing to use social engineering tactics such as posing as job applicants and luring victims (particularly recruiters) to download their malware.”
“Furthermore, campaigns utilizing the MaaS model like More_eggs appear to be less frequent and more selective compared to typical malicious spam distribution networks,” they added.
Additionally, eSentire revealed details of a drive-by download campaign utilizing fake websites related to the KMSPico Windows activator tool to distribute the Vidar Stealer.
The cybersecurity firm noted, “The kmspico[.]ws site is hosted behind Cloudflare Turnstile and requires human input (entering a code) to download the final ZIP package,” adding that these steps are atypical for a legitimate application download page to evade detection by automated web crawlers.
Similar social engineering campaigns have been observed setting up counterfeit sites mimicking legitimate software like Advanced IP Scanner to deploy Cobalt Strike, according to Trustwave SpiderLabs.
This comes in the wake of a new phishing kit called V3B, targeting banking customers in the EU to steal credentials and OTPs, being utilized through a Phishing-as-a-Service (PhaaS) model on the dark web and Telegram.
Resecurity highlighted that V3B is specifically tailored to deceive European financial institutions, with hundreds of cybercriminals currently leveraging the kit for fraudulent activities, resulting in financial losses for victims.
The phishing kit offers personalized and localized templates for mimicking various authentication processes common in online banking and e-commerce systems in Europe, along with advanced capabilities to interact with victims in real-time and obtain their OTP and PhotoTAN codes.
It is crucial to be cautious of such cyber threats and remain vigilant to protect sensitive information and prevent falling victim to malicious attacks.
