Cybersecurity researchers have uncovered a sophisticated spear-phishing campaign targeting HR professionals with a potent JavaScript backdoor known as More_eggs. This latest attack, observed in late August 2024, highlights the persistent efforts of threat actors to exploit the job application process for malicious purposes.
The Anatomy of the Attack
According to an analysis by Trend Micro researchers Ryan Soliven, Maria Emreen Viray, and Fe Cureg, the attack began with a carefully crafted spear-phishing email sent to a talent search lead in the engineering sector. The email, designed to build trust and confidence, set the stage for the next phase of the attack.
Shortly after the initial contact, a recruitment officer downloaded what appeared to be a resume file named “John Cboins.zip” from a suspicious URL using Google Chrome. While the exact source of the URL remains unclear, investigators noted that both targeted users were actively searching for an inside sales engineer at the time of the attack.
The Deceptive Download
The malicious URL, johncboins[.]com, featured a prominent “Download CV” button, enticing victims to download a ZIP archive containing a Windows shortcut (LNK) file. This method of distribution bears striking similarities to a previous campaign disclosed by eSentire in June, which utilized LinkedIn as a vector for spreading fake resumes hosted on attacker-controlled sites.
More_eggs: A Potent Threat
Upon execution, the LNK file triggers a series of obfuscated commands, ultimately leading to the deployment of the More_eggs backdoor. This sophisticated malware, sold as a Malware-as-a-Service (MaaS) offering, is capable of stealing a wide range of credentials, including those for online bank accounts, email services, and IT administrator access.
More_eggs is attributed to a threat actor known as the Golden Chickens group (also called Venom Spider) and has been utilized by several notorious e-crime groups, including FIN6 (ITG08), Cobalt, and Evilnum.
The Infection Process
Once activated, More_eggs performs a series of actions:
- Checks for admin or user privileges
- Conducts reconnaissance on the compromised host
- Establishes communication with a command-and-control (C2) server
- Receives and executes secondary malware payloads
Trend Micro researchers also observed a variant of the campaign that incorporates PowerShell and Visual Basic Script (VBS) components in the infection chain, demonstrating the adaptability of the threat actors.
Attribution Challenges
While the tactics, techniques, and procedures (TTPs) employed in this attack bear similarities to those used by the FIN6 group, definitively attributing the campaign to a specific threat actor remains challenging. The nature of the Malware-as-a-Service model allows multiple groups to leverage the same toolkits and infrastructure, complicating attribution efforts.
Wider Implications: The PackXOR Connection
In a related development, French cybersecurity firm HarfangLab recently uncovered PackXOR, a private packer used by the FIN7 cybercrime group to encrypt and obfuscate their AvNeutralizer tool. Intriguingly, PackXOR has also been observed protecting unrelated payloads such as the XMRig cryptocurrency miner and the r77 rootkit, suggesting its potential use by other threat actors.
Protecting Against Spear-Phishing Attacks
As these sophisticated campaigns continue to target HR professionals and recruiters, organizations must prioritize cybersecurity awareness and implement robust defensive measures. Key steps include:
- Providing comprehensive security training for all employees, especially those handling job applications
- Implementing advanced email filtering and malware detection systems
- Regularly updating and patching all software and systems
- Enforcing strong access controls and multi-factor authentication
- Conducting regular security audits and penetration testing
