Cybersecurity researchers at eSentire have uncovered a sophisticated phishing attack leveraging the More_Eggs malware, disguised as job resumes. This tactic, identified over two years ago, continues to threaten organizations significantly. Recently, attackers targeted an unnamed company in the industrial services sector, underscoring the ongoing evolution of cyber threats and the need for heightened vigilance among recruiters and HR professionals.
Historical Context and Evolution
The More_Eggs malware, a versatile and dangerous cyber threat, has a history dating back several years. It has continuously evolved to outmaneuver traditional cybersecurity defenses. Initially identified more than two years ago, the malware spread through spear-phishing campaigns targeting high-profile professionals on platforms like LinkedIn. These early attacks used highly personalized and convincing phishing emails that included job offers and resume attachments appealing to the recipient’s professional interests.
As the threat landscape evolved, the operators behind More_Eggs adopted a Malware-as-a-Service (MaaS) model, offering the malware to other cybercriminals for a fee. This business model not only increased the prevalence of More_Eggs attacks but also contributed to its continuous improvement. Consequently, a broader range of cybercriminals, including those with limited technical expertise, could deploy sophisticated attacks.
The Attack Methodology
In the recent incident disclosed by Canadian cybersecurity firm eSentire, threat actors masqueraded as job applicants. They lured a recruiter to their website under the guise of submitting a resume. When the recruiter visited the site, they inadvertently downloaded the More_Eggs malware, known for its modular backdoor capabilities and its ability to harvest sensitive information.
Attack Execution and Payload Delivery
The More_Eggs malware initiates its attack by exploiting LinkedIn job listings. Threat actors pose as potential candidates, sending a link to a fake resume download site. When the recruiter clicks the “Download CV” button, a malicious Windows Shortcut File (LNK) is downloaded. Upon opening the LNK file, it points to “cmd.exe” followed by an obfuscated command, which creates a configuration file “ieuinit.inf.” This file downloads a malicious DLL from a designated URL.
Subsequently, the malware uses a legitimate Microsoft executable, “ie4uinit.exe,” to run commands from the “ieuinit.inf” file, downloading the malicious DLL “55609.dll.” This DLL is executed using “regsvr32.exe” to establish persistence and gather data about the infected host. The DLL sets up registry keys to maintain persistence and drops additional payloads, including JavaScript code. This code establishes a command and control (C2) client to communicate with the attacker’s server, sending system details and executing further malicious tasks. The DLL employs multiple anti-debug and anti-sandbox checks, delaying its execution until specific conditions are met. It uses the RC4 algorithm to decrypt strings and sets up a command and control infrastructure to execute tasks and download additional files.
This process establishes persistence on the infected host, gathers data, and delivers additional payloads, including the More_Eggs backdoor.
Ongoing Threat
eSentire’s findings emphasize that More_Eggs campaigns remain active, with operators continually refining their social engineering tactics. By posing as job applicants, they specifically target recruiters, making it crucial for HR professionals to exercise caution when handling online resumes and interacting with job applicants.
Conclusion
The More_Eggs malware, disguised as resumes, highlights the evolving tactics cybercriminals use to exploit unsuspecting individuals and organizations. By leveraging sophisticated social engineering techniques and Malware-as-a-Service (MaaS) models, threat actors like Golden Chickens continue to pose significant cybersecurity risks.
Organizations must continuously educate their employees and implement advanced cybersecurity solutions to mitigate these threats. Comprehensive monitoring and proactive defense strategies are crucial in defending against malware and phishing attacks. Staying informed about the latest cybersecurity threats and adopting best practices can significantly enhance an organization’s resilience against these sophisticated attacks.