In the ever-evolving world of cybercrime, one thing is clear: no one is safe—not even recruiters. Recently, a sophisticated spear-phishing campaign has taken aim at recruitment officers, infecting them with a dangerous backdoor called “More_eggs”, disguised as harmless job applications.
This attack is part of a broader trend in the cybercrime world, where malicious actors exploit industries that rely heavily on email communication. Let’s dive into how this campaign unfolded and, most importantly, how you can protect yourself from becoming the next target.
Don‘t employ the coy: Fake Resumes, Real Danger
Imagine being a recruiter on the hunt for top talent. You open an email from what seems like a promising candidate. Attached is a resume in a ZIP file. Harmless, right? “Wrong.”
This particular resume was a trap—a malicious ZIP file containing a Windows shortcut (LNK) file that, when opened, executed hidden commands. These commands didn’t just harm the user’s computer; they opened the door to a More_eggs backdoor infection.
Once inside, the malware checked the user’s privileges and ran reconnaissance to prepare the system for further attacks. All this happened without the user’s knowledge, simply by clicking on what appeared to be a legitimate job application.
Who’s Behind the Attack?
The threat actors involved in this campaign belong to a group called “Golden Chickens” (also known as “Venom Spider”). They offer “More_eggs” as “Malware-as-a-Service (MaaS)”, meaning other cybercriminal groups can rent it out and use it for their own attacks. Groups like “FIN6”, “Cobalt”, and “Evilnum” have been linked to this tool, making attribution tricky.
These attackers are not just sticking to email. “Earlier campaigns” showed them using LinkedIn to spread malicious resumes, further proving that this sector is under continuous attack.
What Is More_eggs?
“More_eggs” is a highly dangerous backdoor with capabilities that allow it to steal valuable credentials—everything from online banking details to email and IT administrator accounts. Once it gains access to your system, it contacts a command-and-control (C2) server, which can send instructions for launching additional attacks, like dropping more malware.
Its stealthy nature and the ability to be customized make it a weapon of choice for cybercriminals looking to target individuals or businesses for sensitive data.
What came first? The egg or the chicken? These walls: Practical Measures
With attacks like this growing more sophisticated, you might wonder: How can we fight back? Here’s how:
1. Train Your Staff: It’s crucial to educate employees, especially those in recruiting and HR, on how to spot phishing emails. Suspicious attachments, unexpected URLs, and unsolicited resumes should always raise a red flag.
2. Use Multi-Factor Authentication (MFA): Protect sensitive accounts by enabling MFA. This adds an extra layer of security that can thwart attackers even if they manage to steal passwords.
3. Advanced Email Filtering: Use tools that detect and block phishing emails before they even reach your inbox. These filters can prevent malicious links and attachments from landing in the hands of unsuspecting users.
4. Endpoint Protection: Having robust endpoint detection and response (EDR) systems in place ensures that any unusual activity on devices is flagged and mitigated immediately.
5. Keep Software Updated: Patching vulnerabilities in your systems can stop attackers from exploiting known weaknesses. Regular updates are a simple but effective defense.
6. Network Segmentation: Limit access to critical systems by segmenting your network. That way, even if a user is compromised, attackers won’t be able to access your entire infrastructure.
Comments