Once fully operational, More_eggs collects extensive system information, including OS installation date, antivirus details, username, computer name, OS version, IP address, and more-sending this intelligence back to command-and-control servers for the threat actor to leverage in further exploits or data theft operations. A sophisticated cyber campaign targeting corporate human resources departments has been uncovered, with attackers exploiting the routine practice of opening job application attachments to deploy a dangerous backdoor. The financially motivated threat group Venom Spider is behind this campaign, sending spear-phishing emails to hiring managers and recruiters with links to download what appear to be candidate resumes but are actually malicious files. The backdoor, known as More_eggs, is a particularly concerning threat as it can be leveraged for a wide array of malicious activities, from credential theft to stealing sensitive customer payment data, intellectual property, and trade secrets. The venom Spider’s JavaScript dropper payload shows how the malware employs encrypted data blocks that are only decrypted on the victim’s system using a combination of system-specific information like computer name and processor identifier. The threat actor’s infrastructure employs server polymorphism, generating a unique malicious .lnk file for each download with different code obfuscation and file sizes-ranging from 11,600 to 11,900 bytes-making each attack instance unique. This JavaScript utilizes sophisticated encryption with a hard-coded key combined with three bytes obtained through brute force-a technique that typically requires several minutes of processing time, effectively evading automated analysis systems. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Upon clicking, the victim is directed to an actor-controlled website with a CAPTCHA verification step-a clever technique that helps bypass automatic security scanners while appearing legitimate to human users. A sophisticated Remote Access Trojan (RAT) dubbed "RomCom" has emerged as a significant threat targeting UK organizations through their customer feedback portals. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. This represents a tactical evolution for Venom Spider, which has historically focused on industries utilizing online payment portals or e-commerce sites, including retail, entertainment, and pharmacy sectors. Their analysis revealed several upgrades in the malware design specifically engineered to infect victims more effectively and evade automated security analysis techniques like sandboxing. Threat actors have recognized and are actively exploiting this operational necessity, making HR one of the weakest links in organizational security. After the victim passes the CAPTCHA test, a zip file downloads that contains a malicious Windows shortcut (.lnk) file alongside an image file serving as a distraction. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 05 May 2025 17:45:06 +0000