Hackers Sending Poisoned Resumes to steal Credentials and Bank Details

More_eggs is malware that is specially designed to steal valuable credentials like usernames and passwords for corporate bank accounts, email accounts, and IT admin accounts.

In April 2021, Threat actors conducted a spearphishing campaign with more_eggs malware that targeted job hunting professionals on LinkedIn. They sent malicious .zip files that are named under the current Job title of the victim. 

For example, If the victim is having current Job title as “Account Manager”, the zip file will have the name “Account Manager Position”. Once the victim opens the fake offer, it initiates the installation of the more_eggs malware.

However, threat actors are currently reversing their targets. This time they are targeting organizations by sending the malware as resumes from job applicants.

Recruiters usually download the resume to get to know about the applicants. But the resume has the more_eggs malware embedded in it which gets executed when they download and open the resumes.

eSentire’s security research team, the Threat Response Unit (TRU) have also discovered four other security incidents and has shut them down. Three of the four incidents were discovered at the end of March.

The organizations that were targeted include a U.S.-based aerospace/defense company, a large UK-based CPA firm, an international business law firm based out of Canada, and a Canadian national staffing agency.

This malware has already been used on several attack campaigns by other threat actors like the FIN6 gang, Evilnum, and the Cobalt group. After they infect a system, they travel across the network by using Teamviewer and encrypting files.

The connection between FIN6, Evilnum, Cobalt, and More_Eggs

FIN6 is a cybercrime group that specifically steals payment card details and sells them on the DarkWeb and other underground black markets. In 2014, they gained popularity for their attacks against POS (Point-Of-Sale) machines at retail outlets and hospitality campaigns.

Later they targeted e-Commerce companies and stole credit card data via online skimming.

At the end of 2018, FIN6 attacked payment servers of e-Commerce companies using malicious documents which have more_eggs malware embedded.

Nevertheless, similarities come into place with respect to their methodology. FIN6 targeted employees in an organization through LinkedIn profiles and lured them with fake job offers.

Evilnum is known for compromising FINTECH companies with more_eggs malware. Companies that provided stock trading and tools. This group targeted financial technology companies and their customers.

Specifically, they targeted items such as spreadsheets, documents with customer lists, investment and trading operations, and credentials relating to that. 

Cobalt Group is also known for using more_eggs malware as a backdoor to go after financial companies.

More_Eggs Internetworking

More_eggs is a sophisticated malware with many components. Components include

VenomLNK – This is a poisoned LNK file. Windows Operating System uses LNK files for automating program execution. This LNK file executes TerraLoader by tricking the user into opening a document.

  • TerraLoader This load’s other module from VenomLNK
  • Terrapreter – Provides meterpreter shell
  • TerraStealer – Exfiltrates Sensitive Data
  • TerraTV – Hijacks TeamViewer for Lateral Movement
  • Terracrypt – Ransomware plugin for PureLocker ransomware (CR1 ransomware)

A complete documentation of this malware is published by eSentire.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Critical Gitlab Vulnerability Let Attackers Escalate Privileges

GitLab, a widely used platform for DevOps lifecycle management, has released critical security updates for…

3 minutes ago

Firefox 133.0 Released with Multiple Security Updates – What’s New!

Mozilla has officially launched Firefox 133.0, offering enhanced features, significant performance improvements, and critical security…

4 hours ago

RomCom Hackers Exploits Windows & Firefox Zero-Day in Advanced Cyberattacks

In a new wave of cyberattacks, the Russia-aligned hacking group "RomCom" has been found exploiting…

12 hours ago

Chinese APT Hackers Using Multiple Tools And Vulnerabilities To Attack Telecom Orgs

Earth Estries, a Chinese APT group, has been actively targeting critical sectors like telecommunications and…

14 hours ago

200,000 WordPress Sites Exposed to Cyber Attack, Following Plugin Vulnerability

A critical security vulnerability has been discovered in the popular WordPress plugin Anti-Spam by CleanTalk, which…

19 hours ago

Beware Of SpyLoan Apps Exploits Social Engineering To Steal User Data

SpyLoan apps, a type of PUP, are rapidly increasing, exploiting social engineering to deceive users…

21 hours ago