The recruitment industry is once again in the crosshairs of cybercriminals, with a new spear-phishing campaign delivering the More_eggs JavaScript backdoor to unsuspecting victims. Disguised as job applicant resumes, this sophisticated campaign highlights the persistent vulnerability of recruiters to targeted attacks.
According to researchers from Trend Micro, "a sophisticated spear-phishing lure tricked a recruitment officer into downloading and executing a malicious file disguised as a resume, leading to a more_eggs backdoor infection." The attack, observed in late August 2024, targeted a recruitment lead in the engineering sector and leveraged a fake job application to gain the trust of the victim.
More_eggs, sold as malware-as-a-service (MaaS), is attributed to the notorious Golden Chickens group, also known as Venom Spider. The malware is used by various e-crime organizations, including FIN6, Cobalt, and Evilnum, and has the capability to siphon sensitive information like credentials for online banking, email, and IT administration accounts.
This recent spear-phishing campaign involved sending a seemingly legitimate email that directed the victim to a URL where a supposed resume, "John Cboins.zip," was available for download. This ZIP file contained a Windows shortcut (LNK) file that, when double-clicked, unleashed a chain of commands that ultimately deployed the More_eggs backdoor.
Once activated, More_eggs first checks for administrative privileges and runs reconnaissance commands to gather information about the compromised system. It then connects to a command-and-control (C2) server to execute additional payloads, broadening the scope of the attack. Trend Micro also noted variations of the campaign that utilized PowerShell and Visual Basic Script components as part of the infection sequence.
Attributing attacks like these is complex due to the nature of malware-as-a-service, which allows different threat actors to use the same tools and infrastructure. Trend Micro suggested that the tactics and techniques observed in this attack may point towards FIN6, but such attribution remains uncertain.
"Phishing emails disguised as job applications are nothing new," said Max Gannon, Cyber Intelligence Team Manager at Cofense. "Over the years we have seen campaigns disguised as job applications delivering everything from STOP Ransomware to NanoCore RAT to Agent Tesla Keylogger, and of course Credential Phishing. These types of campaigns were particularly popular in 2022 but have been seen on and off since then."
Gannon pointed out that the unconventional formats of fake resumes often make these phishing attempts challenging for recruiters to identify. While the increasing use of AI and ML for processing resumes may mitigate this risk in 2024, recruiters and individuals outside the typical hiring process must still exercise caution. "Luckily, combating this is simple. Individuals should continue to practice the basic cyber hygiene step of not opening files or clicking links from unknown individuals," Gannon added.
The spear-phishing attack reported by Trend Micro comes on the heels of a separate disclosure by eSentire earlier this year, which detailed another More_eggs attack distributed through LinkedIn. In that case, attackers used an LNK file disguised as a resume, hosted on an attacker-controlled site, to initiate the infection. These methods reflect an evolution in phishing techniques that use personalized, sophisticated lures to target specific industries and individuals.
Moreover, the rise of more advanced malware protection measures has coincided with the development of obfuscation tools like PackXOR. Recently analyzed by French cybersecurity firm HarfangLab, PackXOR is a private packer used by the FIN7 cybercrime group to obscure its payloads, including the AvNeutralizer tool, XMRig cryptocurrency miner, and the r77 rootkit. HarfangLab's findings indicate that PackXOR may be used by other threat actors beyond FIN7, underscoring the shared nature of these sophisticated tools.
The targeting of recruiters with fake job applications reveals a consistent vulnerability within the talent acquisition sector, as attackers leverage the need for HR professionals to quickly evaluate a wide variety of file formats and content. As AI and ML integration into recruitment processes increases, experts remain hopeful that such risks will be mitigated. For now, however, simple vigilance remains the most effective defense against these types of targeted phishing attacks.