In cybersecurity, a relentless and evolving threat landscape keeps IT leaders and professionals on their toes. One such persistent threat involves fake job applications delivering the More_eggs malware. This blog post aims to explore this threat in detail, providing essential insights for IT leaders, cybersecurity professionals, and HR leaders to safeguard their organizations.
The Emergence of Malicious Job Applications
Cybercriminals are increasingly targeting the recruitment sector by exploiting the guise of fake job applications. These attacks are executed through a spear-phishing email campaign that trick recruiters into downloading malicious files masquerading as resumes. Once the file is opened, it unleashes a JavaScript backdoor known as More_eggs, indicating a sophisticated attempt by threat actors to compromise corporate networks.
Stephen Jones, VP of Cybersecurity at R3, emphasizes, “The URL in question, johncboins[.]com, contains a ‘Download CV’ button to entice the victim into downloading a ZIP archive file containing the LNK file. It’s worth noting that the attack chain reported by eSentire also includes an identical site with a similar button that directly downloads the LNK file. Anytime you see a ZIP of an LNK file, you should avoid it.”
Understanding More_eggs Malware
More_eggs is a malware-as-a-service (MaaS) tool sold in the dark web marketplace. It has capabilities to steal credentials, including those for online bank accounts, email accounts, and IT administrator accounts. The malware is attributed to the Golden Chickens group, also known as Venom Spider, and has been used by various cybercrime groups like FIN6, Cobalt, and Evilnum.
How the Attack Unfolds
The attack is launched via spear-phishing emails, which are exceptionally targeted emails crafted to gain the trust of specific individuals within an organization. In this instance, the attackers targeted a talent search lead working in the engineering sector.
The unsuspecting recruitment officer downloaded a supposed resume file named “John Cboins.zip” from a dubious URL. This file, once opened, executes a series of obfuscated commands that drop the More_eggs backdoor through a launcher. The malware then conducts reconnaissance of the compromised host and connects to a command-and-control (C2) server to receive additional malicious payloads.
Variations and Challenges in Attribution
Trend Micro’s findings reveal that the attack strategy has slightly deviated, incorporating PowerShell and Visual Basic Script (VBS) components into the infection process. Attributing these attacks is challenging due to the nature of MaaS, which allows adversaries to outsource different components of an attack, making it difficult to pin down specific threat actors. However, there is suspicion that FIN6 may be behind this particular campaign, given the tactics, techniques, and procedures (TTPs) observed.
Implications for Cybersecurity
The implications of such attacks are profound, highlighting the need for heightened vigilance and robust cybersecurity measures. Cybersecurity teams must remain proactive in educating employees, especially those involved in recruitment processes, about the risks of phishing attacks and the tell-tale signs of malicious files.
Recommendations for IT Leaders and HR Departments
- Enhance Email Security: Implement advanced email filtering solutions to detect and block phishing attempts before they reach employee inboxes.
- Conduct Regular Training: Educate employees on recognizing phishing emails and the dangers of downloading files from unknown sources.
- Implement Endpoint Protection: Deploy robust endpoint detection and response solutions to monitor and mitigate potential threats.
- Regularly Update Software and Systems: Ensure all systems are up to date with the latest security patches to minimize vulnerabilities.
- Conduct Penetration Testing: Regularly test your organization’s security posture through simulated attacks to identify weaknesses.
Conclusion
The threat posed by fake job applications delivering the More_eggs malware underscores the importance of a comprehensive cybersecurity strategy that involves both technological solutions and employee awareness. By taking proactive steps to secure their networks, IT leaders, cybersecurity professionals, and HR departments can better protect their organizations from this and other emerging threats. Stay informed and vigilant—your first line of defense in the evolving landscape of cyber threats.
