In a recent development, a notorious threat group known for its focus on multinational financial organizations has been using a new tactic to target talent recruiters. The group has been masquerading as job seekers in a spear-phishing campaign aimed at spreading the “more_eggs” backdoor, which has the capability to deploy additional malware payloads.
The campaign was uncovered by researchers from Trend Micro, who detailed their findings in a recent analysis. According to Trend Micro, the campaign bears the hallmarks of the threat group FIN6, which has a history of utilizing the more_eggs backdoor in its attacks. However, due to the nature of the malware being part of a malware-as-a-service (MaaS) package, precise attribution becomes challenging.
It’s worth noting that FIN6 has previously posed as recruitment officers to target job seekers. However, in a shift in tactics, the group has now transitioned to posing as fake job applicants. This change in strategy was highlighted by Trend Micro researchers in a blog post detailing the attacks.
The campaign came to light when an employee, working as a talent search lead at an engineering customer, downloaded a fake resume from a supposed job applicant for a sales engineer position. The downloaded file initiated a more_eggs infection through the execution of a malicious .lnk file.
The attack began with a spear-phishing email purportedly from ‘John Cboins,’ sent to a senior executive within the company. The email contained no attachments or URLs but served as a social engineering tactic to build trust with the user. Subsequently, a recruitment officer downloaded a file named John Cboins.zip from a URL using Google Chrome, leading to the infection.
Further investigation revealed that the URL appeared to be a legitimate job applicant website, complete with a CAPTCHA test and other elements to deceive recruiters into interacting with the malicious content without raising suspicions.
The more_eggs backdoor, part of the Golden Chickens toolkit, has been observed in attacks dating back to 2017. The toolkit is associated with Venom Spider, an underground MaaS provider also known as badbullzvenom. The distribution methods for the malware have varied, including phishing schemes with malicious documents, fake job offers on LinkedIn and email, and .zip files disguised as images.
Currently, there are two active campaigns spreading the malware, focusing on individuals in roles that could lead to financial gain for the attackers. Preventing the hatching of “more_eggs” requires robust threat detection measures and a culture of cybersecurity awareness within organizations.
Trend Micro has shared indicators of compromise related to the campaigns, enabling organizations with managed detection and response systems to implement custom filters and models to combat the evolving threat posed by the more_eggs backdoor. It is crucial for defenders to stay vigilant and proactive in the face of these sophisticated attacks.