Wednesday, May 22, 2024

Hackers Sending Poisoned Resumes to steal Credentials and Bank Details

More_eggs is malware that is specially designed to steal valuable credentials like usernames and passwords for corporate bank accounts, email accounts, and IT admin accounts.

In April 2021, Threat actors conducted a spearphishing campaign with more_eggs malware that targeted job hunting professionals on LinkedIn. They sent malicious .zip files that are named under the current Job title of the victim. 

For example, If the victim is having current Job title as “Account Manager”, the zip file will have the name “Account Manager Position”. Once the victim opens the fake offer, it initiates the installation of the more_eggs malware.

However, threat actors are currently reversing their targets. This time they are targeting organizations by sending the malware as resumes from job applicants.

Recruiters usually download the resume to get to know about the applicants. But the resume has the more_eggs malware embedded in it which gets executed when they download and open the resumes.

eSentire’s security research team, the Threat Response Unit (TRU) have also discovered four other security incidents and has shut them down. Three of the four incidents were discovered at the end of March.

The organizations that were targeted include a U.S.-based aerospace/defense company, a large UK-based CPA firm, an international business law firm based out of Canada, and a Canadian national staffing agency.

This malware has already been used on several attack campaigns by other threat actors like the FIN6 gang, Evilnum, and the Cobalt group. After they infect a system, they travel across the network by using Teamviewer and encrypting files.

The connection between FIN6, Evilnum, Cobalt, and More_Eggs

FIN6 is a cybercrime group that specifically steals payment card details and sells them on the DarkWeb and other underground black markets. In 2014, they gained popularity for their attacks against POS (Point-Of-Sale) machines at retail outlets and hospitality campaigns.

Later they targeted e-Commerce companies and stole credit card data via online skimming.

At the end of 2018, FIN6 attacked payment servers of e-Commerce companies using malicious documents which have more_eggs malware embedded.

Nevertheless, similarities come into place with respect to their methodology. FIN6 targeted employees in an organization through LinkedIn profiles and lured them with fake job offers.

Evilnum is known for compromising FINTECH companies with more_eggs malware. Companies that provided stock trading and tools. This group targeted financial technology companies and their customers.

Specifically, they targeted items such as spreadsheets, documents with customer lists, investment and trading operations, and credentials relating to that. 

Cobalt Group is also known for using more_eggs malware as a backdoor to go after financial companies.

More_Eggs Internetworking

More_eggs is a sophisticated malware with many components. Components include

VenomLNK – This is a poisoned LNK file. Windows Operating System uses LNK files for automating program execution. This LNK file executes TerraLoader by tricking the user into opening a document.

  • TerraLoader This load’s other module from VenomLNK
  • Terrapreter – Provides meterpreter shell
  • TerraStealer – Exfiltrates Sensitive Data
  • TerraTV – Hijacks TeamViewer for Lateral Movement
  • Terracrypt – Ransomware plugin for PureLocker ransomware (CR1 ransomware)

A complete documentation of this malware is published by eSentire.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

OmniVision Technologies Cyber Attack, Hackers Stolen Personal Data in Ransomware Attack

OmniVision Technologies, Inc. (OVT) recently disclosed a significant security breach that compromised its clients'...

Critical Flaw In Confluence Server Let Attackers Execute Arbitrary Code

The widely used team workspace corporate wiki Confluence has been discovered to have a...

Threat Actors Leverage Bitbucket Artifacts to Breach AWS Accounts

In a recent investigation into Amazon Web Services (AWS) security breaches, Mandiant uncovered a...

Hackers Breached Western Sydney University Microsoft 365 & Sharepoint Environments

Western Sydney University has informed approximately 7,500 individuals today of an unauthorized access incident...

Memcyco Report Reveals Only 6% Of Brands Can Protect Their Customers From Digital Impersonation Fraud

Memcyco Inc., provider of digital trust technology designed to protect companies and their customers...

DoppelGänger Attack: Malware Routed Via News Websites And Social Media

A Russian influence campaign, DoppelGänger, leverages fake news websites (typosquatted and independent) to spread...

Critical Memory Corruption In Cloud Logging Infrastructure Enables Code Execution Attack

A new critical vulnerability has been discovered in Fluent Bit's built-in HTTP server, which...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles