A new series of phishing attacks carrying the more_eggs malware has been detected targeting corporate hiring supervisors with false resumes as an infection vector. This incident happened a year after potential applicants seeking employment on LinkedIn were tempted with malicious job offers.
“This year the more_eggs operation has flipped the social engineering script, targeting hiring managers with fake resumes instead of targeting jobseekers with fake job offers,” said eSentire’s research and reporting lead, Keegan Keplinger.
According to the Canadian cybersecurity firm, four different security events were discovered and disrupted, three of which happened towards the end of March. An aerospace company based in the United States, an accountancy firm based in the United Kingdom, a legal firm, and a hiring agency, all based in Canada, are among the targets.
The malware, which is thought to be the product of a threat actor known as Golden Chickens (also known as Venom Spider), is a stealthy, modular backdoor suite capable of stealing important data and lateral movement across a hacked network. According to Keplinger, more_eggs accomplishes execution by sending malicious code to legal Windows processes and allowing those processes to do the work for them. The idea is to use resumes as a decoy in order to install malware and avoid detection.
Apart from the role reversal in the mode of operation, it’s unclear what the attackers wanted, given that the incursions were halted before they could carry out their intentions. However, it’s worth noting that, once disseminated, more_eggs might be used as a launchpad for further attacks like data theft and ransomware.
Keplinger said the threat actors operating more_eggs employ a scalable spear-phishing method that weaponizes expected communications, such as resumes, that fit a recruiting manager’s expectations or job offers, targeting optimistic individuals with current or previous job titles.