‘More_eggs’ Malware Disguised as Resumes Targets Recruiters
TeamHood
3 min read
Cybersecurity researchers have detected a sophisticated phishing attack using the More_eggs malware, camouflaged as resumes, to target recruiters. This tactic, though not new, continues to be effective, with the recent incident reported in May 2024 by Canadian cybersecurity firm eSentire.
Overview of the Attack
In this campaign, threat actors masquerade as job applicants and lure recruiters into downloading malicious files disguised as resumes. The attack begins with responding to LinkedIn job postings, where the attackers provide a link to a fake resume download site. The download results in a malicious Windows Shortcut file (LNK), which then retrieves a harmful DLL through legitimate Microsoft programs, such as ie4uinit.exe, leveraging regsvr32.exe to execute the malware and establish persistence.
More_eggs Malware Details
More_eggs is a modular backdoor malware used for harvesting sensitive information. Operated by the group known as Golden Chickens (aka Venom Spider), this malware is distributed under a Malware-as-a-Service (MaaS) model, allowing other cybercriminals to use it for their malicious purposes. This modular design makes it highly versatile, capable of adapting to various payloads and maintaining a low detection profile.
Social Engineering Tactics
The attack’s success heavily relies on social engineering. By impersonating job applicants, the attackers exploit the trust of recruiters, who are naturally inclined to download resumes and other application materials. Once the malicious LNK file is downloaded, it triggers a series of actions to install the malware without raising suspicion.
Previous and Current Campaigns
The More_eggs malware has a history of targeting professionals on LinkedIn, previously using weaponized job offers. The current campaign mirrors these tactics, focusing on recruiters, who are a lucrative target due to their access to company networks and sensitive employee information.
Implications for Cybersecurity
The resurgence of More_eggs underscores the persistent threat posed by sophisticated phishing campaigns. It highlights the need for organizations to enhance their cybersecurity training and awareness programs, especially for HR and recruitment departments. Additionally, leveraging advanced threat detection systems can help identify and mitigate such threats before they cause significant damage.
Protective Measures
To safeguard against such attacks, organizations should implement the following measures:
- Enhanced Email Security: Utilize advanced email filtering and threat detection systems to identify and block phishing emails.
- User Training: Conduct regular training sessions for employees, particularly those in HR and recruitment, to recognize phishing attempts and suspicious links.
- Multi-Factor Authentication (MFA): Implement MFA to add an extra layer of security, making it harder for attackers to gain unauthorized access.
- Endpoint Protection: Deploy comprehensive endpoint security solutions to detect and respond to malicious activities on employee devices.
- Regular Updates: Ensure all software and systems are up-to-date with the latest security patches to close vulnerabilities exploited by malware.
Conclusion
The More_eggs malware campaign is a stark reminder of the evolving tactics used by cybercriminals. By masquerading as job applicants, they exploit human trust to infiltrate organizations. Vigilance, combined with robust cybersecurity measures, is crucial in defending against such threats. Organizations must stay informed about the latest attack vectors and continuously adapt their security strategies to mitigate risks effectively.
