Cyber security researchers have identified a phishing attack that distributes the More_eggs malware by disguising it as a resume, a technique which was detected for the first time more than two years ago.
The first attack due to More_eggs
The attack, which was unsuccessful, targeted an unnamed company in the industrial services sector in May 2024, revealed Canadian cybersecurity firm eSentire last week.
“Specifically, the targeted individual was a recruiter who was deceived by the cybercriminal making him believe he is a candidate and luring him to their website to download the loader“, the company said.
More_eggs, believed to be the work of a cybercriminal known as Golden Chickens (also known as Venom Spider), is a modular backdoor capable of collecting sensitive information. It is offered to other cyber criminals under a Malware-as-a-Service (MaaS) model.
Last year, eSentire exposed the real identities of two individuals, viz Chuck from Montreal And Jackwho are apparently running the operation.
The latest attack chain involves cybercriminals responding to job ads on LinkedIn with a link to a fake resume download site that leads to the download of a malicious Windows shortcut (LNK) file.
It’s worth noting that More_eggs’ previous activity has targeted professionals on LinkedIn with malicious job offers to trick them into downloading the malware.
“Browsing the same URL days later yields the individual’s resume in plain HTML, with no indication of a redirect or download“, declared eSentire.
More_eggs and deceptive Windows LNK files
The LNK file is then used to recover a malicious DLL by exploiting a legitimate program from Microsoft called ie4uinit.exe, after which the library is executed using regsvr32.exe to establish persistence, collect data about the infected host and release additional payloads, including the backdoor More_eggs based on JavaScript.
“More_eggs campaigns are still active and their operators continue to use social engineering tactics such as pretending to be candidates looking for a particular role, and luring victims (particularly recruiters) into downloading their malware“, stated eSentire, who then added: “Additionally, campaigns like More_eggs, which use MaaS offerings, appear to be sparse and selective compared to typical malspam distribution networks.“
The development comes as the cybersecurity firm also revealed details of a drive-by download campaign using fake websites for the activation tool Windows KMSPico to distribute Vidar Stealer.
“The kmspico site[.]ws is hosted behind Cloudflare Turnstile and requires human input (enter some code) to download the final ZIP package“, has made known eFeel. “These steps are unusual for a legitimate application download page and are performed to hide the page and final payload from automated web crawlers.”
Similar social engineering campaigns have also created copycat sites impersonating legitimate software such as Advanced IP Scanner to distribute Cobalt Strike, ha stated Trustwave SpiderLabs last week.
More_eggs and phishing attempts
It also follows the emergence of a new phishing kit called V3B which has been used to target customers of various banks in the European Union with the aim of stealing credentials and one-time passwords (OTPs).
The kit, offered for $130-$450 per month via a Phishing-as-a-Service model (PhaaS) via the dark web and a dedicated Telegram channel, it is said to have been active since March 2023; it is designed to support over 54 banks located in Austria, Belgium, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg and the Netherlands.
The most important aspect of V3B is that it features customized and localized templates to mimic various authentication and verification processes common to online banking and e-commerce systems in the region.
It also comes with advanced capabilities to interact with victims in real time and get their OTP codes and PhotoTANas well as perform a QR code login hijacking attack (also known as QRLJackingessentially a “hijack” from the original QR) on services like WhatsApp that allow access via QR codes.
“They have since built a client base focused on targeting European financial institutions“, said Resecurity who later added “Currently, it is estimated that hundreds of cybercriminals are using this kit to commit fraud, leaving victims with empty bank accounts.“
#More_eggs #malware #disguises #resume