Hackers infiltrate resumes sent to corporate hiring managers with the ‘More Eggs’ malware

A year after potential candidates looking for work on LinkedIn were tempted with weaponized job offers, a new series of phishing assaults carrying the more eggs malware has been detected attacking corporate hiring supervisors with false resumes as an infection vector. The phishing lures use malicious ZIP archive files with the same name as the victims’ job titles extracted from their LinkedIn profiles to boost their chances of success.

“For example, if the LinkedIn member’s job title is Senior Account Executive—International Freight, the malicious zip file will be titled Senior Account Executive—International Freight position (note the ‘position’ added at the end),” according to an analysis by cybersecurity firm eSentire’s Threat Response Unit (TRU). “The victim unknowingly launches the stealthy installation of the fileless backdoor, more eggs, by opening the false job offer.”

 “This year, the more eggs operation has inverted the social engineering script, targeting hiring managers with phoney resumes instead of jobseekers with fake job offers,” said Keegan Keplinger, eSentire’s research and reporting lead.

Four separate security events were identified and disrupted, according to the Canadian cybersecurity firm, three of which happened towards the end of March. A U.S.-based aerospace company, a U.K.-based accounting firm, a legal firm, and a hiring agency, all based in Canada, are among the targets.

The virus, which is thought to have been created by a threat actor known as Golden Chickens (aka Venom Spider), is a stealthy, modular backdoor suite capable of stealing sensitive data and causing lateral movement across a compromised network.

“More eggs gets around this by delivering malicious code to legal Windows processes and allowing those processes perform the work,” Keplinger explained. The idea is to use resumes as a decoy in order to install malware and avoid detection.

Apart from the role reversal in the mode of operation, it’s unclear what the attackers were after, given that the incursions were stopped before they could carry out their intentions. However, it’s worth noting that, once deployed, more eggs might be used as a launchpad for further assaults like data theft and ransomware.

“The threat actors behind more eggs deploy a scalable spear-phishing technique that weaponizes expected communications, such as resumes, that fit a hiring manager’s expectations or job offers, targeting hopeful individuals with current or previous job titles,” Keplinger added.

“Unemployment rates have risen considerably since the COVID outbreak. It’s the ideal time to take advantage of job seekers who are in desperate need of work “According to the studies. “In these trying circumstances, a personalised employment bait is even more appealing.”