Friday, March 29, 2024

Hackers Sending Poisoned Resumes to steal Credentials and Bank Details

More_eggs is malware that is specially designed to steal valuable credentials like usernames and passwords for corporate bank accounts, email accounts, and IT admin accounts.

In April 2021, Threat actors conducted a spearphishing campaign with more_eggs malware that targeted job hunting professionals on LinkedIn. They sent malicious .zip files that are named under the current Job title of the victim. 

For example, If the victim is having current Job title as “Account Manager”, the zip file will have the name “Account Manager Position”. Once the victim opens the fake offer, it initiates the installation of the more_eggs malware.

However, threat actors are currently reversing their targets. This time they are targeting organizations by sending the malware as resumes from job applicants.

Recruiters usually download the resume to get to know about the applicants. But the resume has the more_eggs malware embedded in it which gets executed when they download and open the resumes.

eSentire’s security research team, the Threat Response Unit (TRU) have also discovered four other security incidents and has shut them down. Three of the four incidents were discovered at the end of March.

The organizations that were targeted include a U.S.-based aerospace/defense company, a large UK-based CPA firm, an international business law firm based out of Canada, and a Canadian national staffing agency.

This malware has already been used on several attack campaigns by other threat actors like the FIN6 gang, Evilnum, and the Cobalt group. After they infect a system, they travel across the network by using Teamviewer and encrypting files.

The connection between FIN6, Evilnum, Cobalt, and More_Eggs

FIN6 is a cybercrime group that specifically steals payment card details and sells them on the DarkWeb and other underground black markets. In 2014, they gained popularity for their attacks against POS (Point-Of-Sale) machines at retail outlets and hospitality campaigns.

Later they targeted e-Commerce companies and stole credit card data via online skimming.

At the end of 2018, FIN6 attacked payment servers of e-Commerce companies using malicious documents which have more_eggs malware embedded.

Nevertheless, similarities come into place with respect to their methodology. FIN6 targeted employees in an organization through LinkedIn profiles and lured them with fake job offers.

Evilnum is known for compromising FINTECH companies with more_eggs malware. Companies that provided stock trading and tools. This group targeted financial technology companies and their customers.

Specifically, they targeted items such as spreadsheets, documents with customer lists, investment and trading operations, and credentials relating to that. 

Cobalt Group is also known for using more_eggs malware as a backdoor to go after financial companies.

More_Eggs Internetworking

More_eggs is a sophisticated malware with many components. Components include

VenomLNK – This is a poisoned LNK file. Windows Operating System uses LNK files for automating program execution. This LNK file executes TerraLoader by tricking the user into opening a document.

  • TerraLoader This load’s other module from VenomLNK
  • Terrapreter – Provides meterpreter shell
  • TerraStealer – Exfiltrates Sensitive Data
  • TerraTV – Hijacks TeamViewer for Lateral Movement
  • Terracrypt – Ransomware plugin for PureLocker ransomware (CR1 ransomware)

A complete documentation of this malware is published by eSentire.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles