A cybercrime gang is targeting hiring managers and recruiters in a new campaign to spread the “more_eggs” backdoor malware.
Emails from supposed job seekers are luring victims to malicious “resume” downloads using sophisticated social engineering and infrastructure, Proofpoint said in a security briefing Tuesday.
The briefing outlines the evolving tactics of the threat actor tracked as TA4557, which Proofpoint researchers have been monitoring since 2018.
Spear phishing strategy convinces recruiters to stray from safety
Secure email gateways are one of the most common endpoint security measures used by organizations; new methods by TA4557 seek to bypass these measures and lure job recruiters to attacker-controlled websites.
“The social engineering is very compelling leading up to the download of the file from the resume website,” Proofpoint Senior Threat Analyst Selena Larson told SC Media.
The attacks, which Proofpoint first detected in October 2023, begin with an email inquiring about an open position. With no links or attachments, the seemingly benign email gets the foot in the door to start building trust.
If the victim responds, the attack chain continues with the supposed job candidate inviting the hiring manager or recruiter to download a resume from their “personal website.”
Unlike classic jobs scams targeting job seekers themselves, there is no need to impersonate an established business through methods like typosquatting. Additionally, researchers began seeing in early November that attackers avoided sending links altogether by directing their victims to “refer to the domain name of my email address to access my portfolio.”
Requiring the victim to copy and paste the malicious domain name increases the likelihood the emails will make it past secure email gateways. Plus, with unassuming domain names like “wlynch[.]com” for a candidate named William Lynch and “annetterawlings[.]com” for a candidate named Annette Rawlings, the emails are less likely to raise alarm bells than those from free email providers like Gmail or Yahoo.
The attacker-controlled “candidate” websites were found to apply filters based on details like the victim’s IP address to determine whether to move them onto the next stage of the attack, according to Larson.
Users who did not “pass” the checks would be sent to a page containing a plain text resume, while those who “passed” were directed to a page where they could download a ZIP file after completing a CAPTCHA prompt.
“CAPTCHAs are typically used by threat actors to ensure a real person is receiving the content and not automated threat detection like sandboxes,” Larson explained.
The downloaded ZIP file contains a LNK file disguised as the candidate’s resume that, when executed, kicks off installation of the more_eggs backdoor.
‘Fileless’ more_eggs opens systems to further attack
The malware used by TA4557 hijacks the functions of legitimate software to establish a backdoor and gain more information about the victim’s system.
Once the disguised LNK file is executed, the Microsoft utility program ie4uinit.exe is used to download and execute a scriptlet from the ie4uinit.inf file, which decrypts and deposits a dynamic-link library (DLL) at %APPDATA%Microsoft, the researchers wrote.
Next, the malware attempts to execute the DLL by creating a new regsrv32 process through Windows Management Instrumentation (WMI), or through ActiveX Object Run, if the WMI method fails.
The DLL uses a loop to retrieve the RC4 key needed to decrypt the more_eggs backdoor and attempts to evade sandbox environment by purposely extending its execution time, according to the researchers. It also utilizes the NtQueryInformationProcess function to constantly check if it is being debugged.
At the end of the process, the DLL drops the more_eggs backdoor alongside another legitimate utility program, msxsl.exe, and uses WMI to initiate the creation of an MSXSL process before deleting itself.
Once successfully installed, more_eggs can be used to facilitate a range of further attacks by collecting information about the victim’s machine and acting as a downloader for additional malware payloads.
“Because malware like more_eggs takes the so-called fileless approach to evade AV [anti-virus], there is no malicious executable for AV to detect,” said Keegan Keplinger, research and reporting lead with eSentire’s Threat Response Unit (TRU), after the TRU uncovered a similar more_eggs campaign last year.
MaaS tied to Russian cyber gangs
More_eggs, which is also known as Golden Chickens, is a malware-as-a-service (MaaS) offering known as the “cyber weapon of choice” by the Russia-based FIN6 and Cobalt Group cyber gangs, according to eSentire. eSentire uncovered the identity of the malware provider, a Romanian man known as VENOM SPIDER, earlier this year.
The malware has been seen in email campaigns targeting Russian businesses as early as 2017, according to Trend Micro. Distribution of more_eggs was also observed in campaigns targeting job seekers with phony job offers in 2019.
Proofpoint has seen TA4557 submit applications containing malicious links through job sites before, with the direct email spear phishing campaign being the group’s latest move. Pinning down the exact identity of TA4557 is tricky, as its activity overlaps with that of other groups using more_eggs, namely FIN6, Cobalt Group and Evilnum.
“TA4557 is notably different from other priority threat actors tracked by Proofpoint due to the unique tool and malware usage, campaign targeting, use of job candidate-themed lures, sophisticated evasive measures employed to prevent detection, distinct attack chains, and the actor-controlled infrastructure,” the Proofpoint researchers wrote.