A phishing email campaign targeting recruiters with a JavaScript backdoor called More_eggs has been spotted, indicating a persistent effort to highlight the sector under the guise of fake lures for job applicants.
“A sophisticated phishing lure forced a recruiter to download and run a malicious file disguised as a resume, leading to the more_eggs backdoor infection,” Trend Micro researchers Ryan Sullivan, Maria Emrin Virey and Fe Kureg said in the analysis.
Marketed as Malware as a Service (MaaS), More_eggs is malware that has the ability to steal credentials, including those associated with online banking accounts, email accounts, and IT administrator accounts.
It has been attributed to a threat actor called the Golden Chickens group (aka Venom Spider) and has been used by several other cybercriminal groups such as FIN6 (aka ITG08), Cobalt and Evilnum.
Earlier in June this year, eSentire opened details a similar attack that uses LinkedIn as a distribution vector for fake resumes posted on an attacker-controlled site. These files are actually Windows Shortcuts (LNK) files that, when opened, trigger an infection sequence.
Trend Micro’s latest findings mark a slight departure from the previously observed pattern in that threat actors sent a phishing email, likely in an attempt to build trust and gain their trust. The attack was recorded in late August 2024 and targeted a talent acquisition executive working in the engineering sector.
“Shortly after, the hiring manager downloaded John Cboins.zip’s purported resume from a URL using Google Chrome,” the researchers said. “It was not determined where this user got the URL from. However, it was clear from the actions of both users that they were looking for a sales engineer.”
The URL in question, johncboins(.)com, contains a “Download Summary” button to prompt the victim to download a ZIP archive containing the LNK file. It should be noted that the chain of attacks reported by eSentire also includes an identical site with a similar button that directly downloads an LNK file.
Double-clicking the LNK file executes confusing commands that lead to the execution of a malicious DLL, which in turn is responsible for dropping the More_eggs backdoor through the launcher.
More_eggs begins its activity by first checking whether it is running with administrator or user privileges, then executes a series of commands to perform reconnaissance on the compromised host. It is then routed to the control server (C2) to receive and execute secondary malware payloads.
Trend Micro said it observed another variant of the campaign that includes PowerShell and Visual Basic Script (VBS) components as part of the infection process.
“Attributing these attacks is difficult due to the nature of MaaS, which allows various attack components and infrastructure to be outsourced,” it said. “This complicates the identification of specific threat actors, as multiple groups may be using the same toolsets and infrastructure provided by services such as those offered by Golden Chickens.”
However, there are suspicions that the attack may have been the work of FIN6, the company said, citing the tactics, techniques and procedures (TTP) used.
The development comes weeks after HarfangLab shed light on PackXOR, a private packer that uses Cyber crime group FIN7 for encryption and obfuscation tool AvNeutralizer.
The French cybersecurity firm said it observed the same wrapper being used to “protect unrelated payloads” such as the XMRig cryptocurrency miner and the r77 rootkit, raising the possibility that it could also be used by other threat actors.
“PackXOR developers may indeed be connected to the FIN7 cluster, but the packer seems to be used for non-FIN7 activities” — HarfangLab said.
