Cyber Defense Advisors

Fake Job Applications Deliver Dangerous More_eggs Malware to HR Professionals

A spear-phishing email campaign has been observed targeting recruiters with a JavaScript backdoor called More_eggs, indicating persistent efforts to single out the sector under the guise of fake job applications.

“A sophisticated spear-phishing lure tricked a recruitment officer into downloading and executing a malicious file disguised as a resume, leading to a more_eggs backdoor infection,” Trend Micro researchers Ryan Soliven, Maria Emreen Viray, and Fe Cureg said in an analysis.

More_eggs, sold as a malware-as-a-service (MaaS), is a malicious software that comes with capabilities to siphon credentials, including those related to online bank accounts, email accounts, and IT administrator accounts.

It’s attributed to a threat actor called the Golden Chickens group (aka Venom Spider), and has been put to use by several other e-crime groups like FIN6 (aka ITG08), Cobalt, and Evilnum.

Earlier this June, eSentire disclosed details of a similar attack that leverages LinkedIn as a distribution vector for phony resumes hosted on an attacker-controlled site. The files, in reality, are Windows shortcut (LNK) files that, upon opening, trigger the infection sequence.

The latest findings from Trend Micro mark a slight deviation from the earlier observed pattern in that the threat actors sent a spear-phishing email in a likely attempt to build trust and gain their confidence. The attack was observed in late August 2024, targeting a talent search lead working in the engineering sector.

“Shortly after, a recruitment officer downloaded a supposed resume, John Cboins.zip, from a URL using Google Chrome,” the researchers said. “It was not determined where this user obtained the URL. However, it was clear from both users’ activities that they were looking for an inside sales engineer.”

The URL in question, johncboins[.]com, contains a “Download CV” button to entice the victim into downloading a ZIP archive file containing the LNK file. It’s worth noting that the attack chain reported by eSentire also includes an identical site with a similar button that directly downloads the LNK file.

Double-clicking the LNK file results in the execution of obfuscated commands that lead to the execution of a malicious DLL, which, in turn, is responsible for dropping the More_eggs backdoor via a launcher.

More_eggs commences its activities by first checking if it’s running with admin or user privileges, followed by running a series of commands to perform reconnaissance of the compromised host. It subsequently beacons to a command-and-control (C2) server to receive and execute secondary malware payloads.

Trend Micro said it observed another variation of the campaign that includes PowerShell and Visual Basic Script (VBS) components as part of the infection process.

“Attributing these attacks is challenging due to the nature of MaaS, which allows for the outsourcing of various attack components and infrastructure,” it said. “This makes it difficult to pin down specific threat actors, as multiple groups can use the same toolkits and infrastructure provided by services like those offered by Golden Chickens.”

That said, it’s suspected that the attack could have been the work of FIN6, the company noted, citing the tactics, techniques, and procedures (TTPs) employed.

The development comes weeks after HarfangLab shed light on PackXOR, a private packer used by the FIN7 cybercrime group to encrypt and obfuscate the AvNeutralizer tool.

The French cybersecurity firm said it observed the same packer being used to “protect unrelated payloads” such as the XMRig cryptocurrency miner and the r77 rootkit, raising the possibility that it could also be leveraged by other threat actors.

“PackXOR developers might indeed be connected to the FIN7 cluster, but the packer appears to be used for activities that are not related to FIN7,” HarfangLab said.

FIN7 actors have also been found hosting a network of seven honeypot domains that entice users searching for AI-powered deepnude generators into downloading malware like Lumma Stealer, Redline Stealer, and D3F@ck Loader that can steal sensitive data or be used for follow-on campaigns deploying ransomware.

Cybersecurity company Silent Push said it also identified ongoing, parallel FIN7 campaigns that deliver NetSupport RAT through websites that prompt visitors to install a browser extension in order to access certain content on the site. These sites impersonate legitimate brands like SAP Concur, Microsoft, Thomson Reuters, and FINVIZ.

“FIN7 AI deepfake honeypots redirect unsuspecting users who click on the ‘free download’ offer to a new domain featuring a Dropbox link or another source hosting a malicious payload,” it said. “It is likely FIN7 may be using SEO tactics to get their honeypots ranked higher in search results.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.