Threat actors are sending out the stealthy “more_eggs” malware in spear phishing emails that target hiring managers, according to researchers at eSentire’s Threat Response Unit (TRU).
“A more_eggs malware campaign has appeared, just as it did last year during the Easter season,” the researchers write. “eSentire’s Threat Response Unit (TRU) security research team has discovered a phishing campaign where hackers are posing as job applicants and luring Corporate Hiring Managers into downloading what they believe are resumes from job applicants. However, the bogus resumes contain the more_eggs malware.”
eSentire notes that several major cybercriminal groups are using the more_eggs malware.
“More_eggs is a stealthy, lethal malware that has several components engineered to steal valuable credentials, such as usernames and passwords for corporate bank accounts, email accounts and IT administrator accounts, among others,” the researchers write. (“Lethal, we note, is metaphorical and not literal. No one is actually being killed by More_eggs.) “Once accessed, the hackers exfiltrate data from the victim organization, spread to other computer hosts via TeamViewer, and encrypt files. The Golden Chickens group (aka Venom Spider) is believed to be the threat operators behind more_eggs. Interestingly, several top financial cybercrime groups, including the infamous FIN6 gang, Evilnum and the Cobalt Group have employed the more_eggs malware in their attack campaigns.”
Keegan Keplinger, research and reporting lead with eSentire’s TRU, said that the malware’s operators have improved their social engineering techniques.
“This year the more_eggs operation has flipped the social engineering script, targeting hiring managers with fake resumes instead of targeting jobseekers with fake job offers,” Keplinger said. “The threat actors behind more_eggs use a scalable, spear phishing approach that weaponizes expected communications, such as resumes, that match a hiring manager's expectations or job offers, targeting hopeful candidates, that match their current or past job titles.”
Keplinger added that more_eggs is stealthy and difficult to detect once it gets a foothold on a computer.
“Anti-Virus(AV) is not enough to protect employees and home users from cyber threats,” Keplinger said. “Because malware like more_eggs takes the so-called fileless approach to evade AV, there is no malicious executable for AV to detect. Rather, more_eggs achieves execution by passing malicious code to legitimate windows processes and letting those windows processes do the work for them. We tend to see threat campaigns, involving the sophisticated and versatile more_eggs malware, just a few times a year compared to some other threats. In addition to the spear phishing component, this indicates to me that threat actors, using the more_eggs service, are selective and patient.”
New-school security awareness training can enable your employees to thwart targeted social engineering attacks.