A recent spear-phishing campaign targeting HR professionals in the recruitment sector has been observed utilizing the More_eggs JavaScript backdoor [1], believed to be orchestrated by threat actors such as FIN6, Cobalt [1] [2] [3] [4], Evilnum [1] [2] [3] [4], and associated with the Golden Chickens group (Venom Spider) [1] [2] [3] [4].
Description
The attackers leverage LinkedIn to distribute fake resumes as LNK files [1], leading to the deployment of the backdoor [4]. Trend Micro researchers have noted a variation of the campaign in late August 2024 [1], utilizing a fake job applicant lure to deliver the malware [1]. The attack chain includes a malicious URL hosting a ZIP archive file containing the LNK file [1], triggering the execution of obfuscated commands to drop the More_eggs backdoor [3]. Additionally, HarfangLab recently discovered the use of PackXOR by the FIN7 group to obfuscate malware like AvNeutralizer [1] [3], XMRig [1] [2] [3] [4], and the r77 rootkit [2] [4], suggesting potential use by other threat actors [1] [2] [3].
Conclusion
Organizations are advised to stay vigilant and implement robust threat detection measures to defend against these evolving threats [5]. The use of sophisticated tactics by threat actors highlights the importance of continuous monitoring and proactive security measures to protect sensitive data and systems.
References
[1] https://vulners.com/thn/THN:025748C564C2D54F0166C5F7751548A3
[2] https://thehackernews.com/2024/10/fake-job-applications-deliver-dangerous.html
[3] https://patabook.com/technology/2024/10/02/fake-job-applications-deliver-dangerous-moreeggs-malware-to-hr-professionals/
[4] https://zerosecurity.org/moreeggs-malware-spread-fake-resumes-hr-departments/14830/
[5] https://www.darkreading.com/cyberattacks-data-breaches/attackers-targeting-recruiters-more_eggs-backdoor