Man
Professional
- Messages
- 3,085
- Reaction score
- 623
- Points
- 113
Trend Micro reports a new wave of attacks using the More_eggs backdoor.
Trend Micro researchers have identified a new phishing campaign targeting HR professionals. In this campaign, attackers send phishing emails disguised as job seekers to infiltrate the networks of large organizations and infect them with the JavaScript backdoor "More_eggs".
This backdoor is sold as a service (MaaS) and allows cybercriminals to access sensitive information such as banking, email, and admin account credentials. The software is linked to the Golden Chickens (also known as Venom Spider) group, which collaborates with other cybercriminal groups such as FIN6 (ITG08), Cobalt, and Evilnum.
Earlier, in June, eSentire detected a similar attack. In it, attackers used LinkedIn to post fake resumes, which were actually malicious shortcuts that triggered the infection process.
The new version of the attack, recorded by Trend Micro, is different in that the phishing email was sent specifically to build trust. Specifically, the attack in question targeted a recruiter at an engineering company who had downloaded a resume in the John Cboins.zip archive from the suspicious website johncboins[.]com.
This site offered a fake resume in the form of a ZIP archive with an LNK file. When it was opened, encrypted commands were executed that launched a malicious DLL to load the backdoor More_eggs. During the launch process, the malware checks the user's privilege level and executes commands to collect information about the system, after which it contacts the command and control server to obtain additional modules.
Researchers have found another variation of this campaign, using PowerShell and Visual Basic Script to infect. Given that More_eggs is sold as a service, it is difficult to establish the exact author of the attacks. However, the methods used in the attack may point to the FIN6 grouping.
This campaign once again highlights the growing threat of spear-phishing attacks on HR professionals. The use of fake resumes as a tool to penetrate corporate networks requires increased vigilance when working with files from unknown sources. Attackers are increasingly using a personalized approach, which makes such attacks more successful and difficult to recognize.
Source
Trend Micro researchers have identified a new phishing campaign targeting HR professionals. In this campaign, attackers send phishing emails disguised as job seekers to infiltrate the networks of large organizations and infect them with the JavaScript backdoor "More_eggs".
This backdoor is sold as a service (MaaS) and allows cybercriminals to access sensitive information such as banking, email, and admin account credentials. The software is linked to the Golden Chickens (also known as Venom Spider) group, which collaborates with other cybercriminal groups such as FIN6 (ITG08), Cobalt, and Evilnum.
Earlier, in June, eSentire detected a similar attack. In it, attackers used LinkedIn to post fake resumes, which were actually malicious shortcuts that triggered the infection process.
The new version of the attack, recorded by Trend Micro, is different in that the phishing email was sent specifically to build trust. Specifically, the attack in question targeted a recruiter at an engineering company who had downloaded a resume in the John Cboins.zip archive from the suspicious website johncboins[.]com.
This site offered a fake resume in the form of a ZIP archive with an LNK file. When it was opened, encrypted commands were executed that launched a malicious DLL to load the backdoor More_eggs. During the launch process, the malware checks the user's privilege level and executes commands to collect information about the system, after which it contacts the command and control server to obtain additional modules.
Researchers have found another variation of this campaign, using PowerShell and Visual Basic Script to infect. Given that More_eggs is sold as a service, it is difficult to establish the exact author of the attacks. However, the methods used in the attack may point to the FIN6 grouping.
This campaign once again highlights the growing threat of spear-phishing attacks on HR professionals. The use of fake resumes as a tool to penetrate corporate networks requires increased vigilance when working with files from unknown sources. Attackers are increasingly using a personalized approach, which makes such attacks more successful and difficult to recognize.
Source
