A new set of phishing attacks delivering the more_eggs malware has been observed striking corporate hiring managers with bogus resumes as an infection vector, a year after potential candidates looking for work on LinkedIn were lured with weaponized job offers.
“This year the more_eggs operation has flipped the social engineering script, targeting hiring managers with fake resumes instead of targeting jobseekers with fake job offers,” eSentire’s research and reporting lead, Keegan Keplinger, said in a statement.
The Canadian cybersecurity firm claimed it discovered and stopped four security incidents. Three of them occurred in March. Targeted entities include a U.S.-based aerospace company, an accounting business located in the U.K., a law firm, and a staffing agency, both based out of Canada.
The malware, suspected to be the handiwork of a threat actor called Golden Chickens (aka Venom Spider), is a stealthy, modular backdoor suite capable of stealing valuable information and conducting lateral movement across the compromised network.
“More_eggs achieves execution by passing malicious code to legitimate windows processes and letting those windows processes do the work for them,” Keplinger said. It is intended to use the resumes to disguise the malware launch and avoid detection.
The role reversal in the modus operandi aside, it’s unclear what the attackers were after in light of the fact that the intrusions were stopped before they could bring their plans to fruition. It’s important to note that additional eggs, once they were deployed, could have been used as a jump off point for other attacks like ransomware and information theft.
” The threat actors behind more_eggs employ a scalable and spear-phishing strategy that weapons expected communications such as resumes that match job offers or hiring managers’ expectations, targeting candidates who match past or current job titles.” Keplinger stated.