Cyberattackers Use HR Targets to Lay More_Eggs Backdoor

A long-active threat group known for targeting multinational financial organizations has been impersonating job seekers in order to target talent recruiters. The method is a spear-phishing campaign spreading the "more_eggs" backdoor, which is capable of executing secondary malware payloads.

Researchers from Trend Micro discovered campaign distributing the JScript backdoor, which is part of a malware-as-a-service (MaaS) toolkit called Golden Chickens, they revealed in analysis published this week published this week. They believe that the campaign is likely the work of FIN6, which is known for using the backdoor to target their victims. However, Trend Micro emphasized that the nature of the malware being a part of an MaaS package "blurs the lines between different threat actors" and thus makes precise attribution difficult.

FIN6 has been known in the past to pose as recruitment officers to target job seekers, but it appears to be "moving from posing as fake recruiters to now masquerading as fake job applicants" in a shift in tactics, Trend Micro researchers wrote in a blog post about the attacks.

Trend Micro identified the campaign when an employee who works as a talent search lead at a customer in the engineering sector downloaded a fake resume from a purported job applicant for a sales engineer position. The downloaded file executed a malicious .lnk file that resulted in a more_eggs infection.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

"A spear-phishing email was initially sent from allegedly from 'John Cboins' using a Gmail address to a senior executive at the company," the researchers wrote. That email contained no attachments or URLs but instead was a social engineering ploy demonstrating "that the threat actor was attempting to gain the user's confidence," they wrote.

Soon after that communication, a recruitment officer downloaded what was supposed to be a resume, John Cboins.zip, from a URL using Google Chrome, though "it was not determined where this user obtained the URL," the researchers noted.

Further investigation of the URL revealed what appeared to be a typical website of a job applicant that even utilizes a CAPTCHA test and would not likely raise suspicions, thus capable of easily deceiving an unsuspecting recruiter into thinking he or she was corresponding with a legitimate candidate, they said.

Same Payload, Different Nesting Methods

Various security researchers have observed more_eggs being used in attacks as early as 2017 against a variety of targets, including Russian financial institutions and mining firms, and other multinational organizations. As mentioned, more_eggs is part of the Golden Chickens toolkit, which is distributed by Venom Spider, an underground MaaS provider also known as badbullzvenom, according to Trend Micro.

Related:Zimbra RCE Vuln Under Attack Needs Immediate Patching

While the backdoor is historically a common denominator among different threat campaigns by Venom Spider, the methods used for distributing the malware vary. Some attacks involved phishing schemes with malicious documents that contained JavaScript and PowerShell scripts, while others used LinkedIn and email to lure employees with fake job offers, leading them to malicious domains that host malicious .zip files, the researchers noted.

Attackers also have used phishing emails to distribute .zip files disguised as images to initiate a more_eggs infection, while a June campaign again leveraged LinkedIn to trick recruiters into accessing a fake job resume site that distributed the malware as a malicious .lnk file.

There appear to be two active campaigns currently spreading the malware that target victims who "are in roles that attackers could leverage to identify valuable assets and have higher potential for financial gain," the researchers wrote.

Prevent Hatching of "More_Eggs"

Traditional anti-malware solutions should immediately detect and eliminate an infection by more_eggs on a corporate network. However, factors such as an organization’s operational needs, human fallibility, and potential misconfigurations can pose a risk of the malware slipping past these detections, according to Trend Micro.

Related:Retail & Hospitality ISAC Announces Pam Lindemoen As New CSO and VP

"The advanced social engineering techniques employed — such as using a convincing website and a malicious file disguised as a resume to start the infection — underscore the critical need for organizations to maintain continuous vigilance," the researchers wrote. "It is imperative that defenders implement robust threat detection measures and foster a culture of cybersecurity awareness to effectively combat these evolving threats."

Trend Micro shared various indicators of compromise (IoCs) related to the campaigns in the post. Organizations with managed detection and response (MDR) systems in place can use them to set up custom filters and models tailored to detect a specific threat like more_eggs that then can be fed to a security playbook to automate response to an alert, according to the post.