Cybersecurity researchers have identified a new type of phishing attack that spreads the More_eggs malware by masquerading as resumes. This technique was first discovered over two years ago.
Last week, Canadian cybersecurity firm eSentire disclosed an attempted attack targeting a company in the industrial services sector. Specifically, the attackers pretended to be job seekers, tricking recruiters into downloading a malicious loader.
More_eggs is believed to be developed by the threat actor group Golden Chickens, also known as Venom Spider. This modular backdoor can collect sensitive information and is offered as Malware-as-a-Service (MaaS) to other criminals.
Last year, eSentire revealed two individuals, allegedly based in Montreal, named Chuck and Jack, who are responsible for operating this campaign. In the latest attack chain, malicious actors used fake resume download links in LinkedIn job postings to lure victims into downloading a malicious Windows shortcut file (LNK).
Notably, previous More_eggs campaigns also exploited LinkedIn job opportunities to deceive professionals into downloading malware. eSentire noted that revisiting the same URL a few days later would only display a plain HTML resume, without any redirection or download indications.
The attackers leveraged the legitimate Microsoft program ie4uinit.exe to retrieve a malicious DLL via the LNK file, then used regsvr32.exe to execute the library. This established persistence, collected data from the infected host, and delivered other payloads, including the JavaScript-based More_eggs backdoor.
eSentire states that More_eggs operations remain active, with operators continuing to use social engineering tactics, such as posing as job seekers, to trick recruiters into downloading malware. Compared to typical malicious spam distribution networks, these MaaS campaigns are relatively sparse and selective.
Additionally, eSentire disclosed an incident where the fake KMSPico Windows activation tool website distributed Vidar Stealer. The kmspico[.]ws site is hosted behind Cloudflare Turnstile and requires manual CAPTCHA entry to download the final ZIP package, a step uncommon in legitimate application download pages, designed to obscure the page and final payload.
Trustwave SpiderLabs reported last week that similar social engineering campaigns have established websites mimicking legitimate software like Advanced IP Scanner to deploy Cobalt Strike. Previously, a new phishing toolkit called V3B was found targeting EU bank customers, stealing credentials and one-time passwords (OTP).
Reportedly active since March 2023, the V3B toolkit is offered as Phishing-as-a-Service (PhaaS) on the dark web and private Telegram channels, with monthly fees ranging from $130 to $450. It supports over 54 banks in Austria, Belgium, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, and the Netherlands.
V3B’s key features include customized and localized templates that mimic authentication and verification processes in regional online banking and e-commerce systems. It also has advanced capabilities to interact with victims in real-time, obtain OTP and PhotoTAN codes, and conduct QR code login hijacking (QRLJacking) attacks on services allowing QR code login, such as WhatsApp.
Resecurity reports they have developed a tool targeting the European financial institution customer base. Currently, it is estimated that hundreds of cybercriminals use this tool for fraud, leading to victims’ bank accounts being emptied.