"A sophisticated spear-phishing lure tricked a recruitment officer into downloading and executing a malicious file disguised as a resume, leading to a more_eggs backdoor infection," Trend Micro researchers Ryan Soliven, Maria Emreen Viray, and Fe Cureg said in an analysis. A spear-phishing email campaign has been observed targeting recruiters with a JavaScript backdoor called More_eggs, indicating persistent efforts to single out the sector under the guise of fake job applicant lures. The latest findings from Trend Micro mark a slight deviation from the earlier observed pattern in that the threat actors sent a spear-phishing email in a likely attempt to build trust and gain their confidence. The French cybersecurity firm said it observed the same packer being used to "protect unrelated payloads" such as the XMRig cryptocurrency miner and the r77 rootkit, raising the possibility that it could also be leveraged by other threat actors. More_eggs, sold as a malware-as-a-service (MaaS), is a malicious software that comes with capabilities to siphon credentials, including those related to online bank accounts, email accounts, and IT administrator accounts. Double-clicking the LNK file results in the execution of obfuscated commands that lead to the execution of a malicious DLL, which, in turn, is responsible for dropping the More_eggs backdoor via a launcher. Trend Micro said it observed another variation of the campaign that includes PowerShell and Visual Basic Script (VBS) components as part of the infection process. It's attributed to a threat actor called the Golden Chickens group (aka Venom Spider), and has been put to use by several other e-crime groups like FIN6 (aka ITG08), Cobalt, and Evilnum. It's worth noting that the attack chain reported by eSentire also includes an identical site with a similar button that directly downloads the LNK file.
This Cyber News was published on thehackernews.com. Publication date: Wed, 02 Oct 2024 15:43:06 +0000