Cybersecurity experts have discovered a phishing attempt that distributes the More_eggs virus by masquerading as a resume, a tactic first identified more than two years ago.
The attempted attack targeted an undisclosed industrial services company in May 2024, according to Canadian cybersecurity firm eSentire, which revealed the information last week.
“Specifically, the targeted individual was a recruiter deceived by the threat actor into thinking they were a job applicant and lured to their website to download the loader,” eSentire stated.
More_eggs, thought to be the product of a threat actor known as the Golden Chickens (aka Venom Spider), is a modular backdoor capable of gathering sensitive data. It is distributed to other criminals via a Malware-as-a-Service (MaaS) architecture.
You might be interested in: WordPress Plugin Hack Steals Credit Card Info from E-Shops
Last year, eSentire revealed the genuine identities of two people, Chuck from Montreal and Jack, who are alleged to be directing the organization.
The latest attack chain involves malicious actors responding to LinkedIn job posts with a link to a false resume download site, leading to the download of a malicious Windows Shortcut file (LNK).
It’s worth noting that prior More_eggs activities targeted professionals on LinkedIn with weaponized job offers in an attempt to fool them into installing the malware.
“Navigating to the same URL days later results in the individual’s resume in plain HTML, with no indication of a redirect or download,” said eSentire.
The LNK file is then used to retrieve a malicious DLL using a legitimate Microsoft program called ie4uinit.exe. The library is executed using regsvr32.exe to establish persistence, collect data about the infected host, and drop additional payloads, including the JavaScript-based More_eggs backdoor.
“More_eggs campaigns are still active, and their operators continue to use social engineering tactics such as posing as job applicants looking to apply for a particular role, luring victims (specifically recruiters) to download their malware,” claimed eSentire.
“Additionally, campaigns like More_eggs, which use the MaaS offering, appear to be sparse and selective compared to typical malspam distribution networks.”
The finding comes as the cybersecurity group also provided details about a drive-by download campaign that uses bogus websites to deliver Vidar Stealer using the KMSPico Windows activator program.
“The kmspico[.]ws site is hosted behind Cloudflare Turnstile and requires human input (entering a code) to download the final ZIP package,” said eSentire. “These steps are unusual for a legitimate application download page and are done to hide the page and final payload from automated web crawlers.”
Similar social engineering tactics have also used lookalike sites imitating real software, such as Advanced IP Scanner, to deliver Cobalt Strike, Trustwave SpiderLabs said last week.
This comes after the release of V3B, a new phishing kit that has been used to target banking users in the European Union to collect credentials and one-time passwords (OTPs).
The kit, which costs $130-$450 a month via a Phishing-as-a-Service (PhaaS) model on the dark web and a dedicated Telegram channel, is believed to have been available since March 2023. It supports over 54 banks in Austria, Belgium, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, and the Netherlands.
The most important feature of V3B is that it includes customized and translated templates for various authentication and verification processes used in regional online banking and e-commerce systems.
It also has enhanced capabilities for interacting with victims in real-time and obtaining their OTP and PhotoTAN codes, as well as performing a QR code login jacking (aka QRLJacking) attack on applications like WhatsApp that allow sign-in via QR codes.
“They have since built a client base focused on targeting European financial institutions,” Resecurity stated. “Currently, it is estimated that hundreds of cybercriminals are using this kit to commit fraud, leaving victims with empty bank accounts.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.