Cyberattackers Use HR Targets to Lay More_Eggs Backdoor

A long-active threat group known for targeting multinational financial organizations has been impersonating job seekers in order to target talent recruiters. The method is a spear-phishing campaign spreading the "more_eggs" backdoor, which is capable of executing secondary malware payloads.

Researchers from Trend Micro discovered campaign distributing the JScript backdoor, which is part of a malware-as-a-service (MaaS) toolkit called Golden Chickens, they revealed in analysis published this week published this week. They believe that the campaign is likely the work of FIN6, which is known for using the backdoor to target their victims. However, Trend Micro emphasized that the nature of the malware being a part of an MaaS package "blurs the lines between different threat actors" and thus makes precise attribution difficult.

FIN6 has been known in the past to pose as recruitment officers to target job seekers, but it appears to be "moving from posing as fake recruiters to now masquerading as fake job applicants" in a shift in tactics, Trend Micro researchers wrote in a blog post about the attacks.

Trend Micro identified the campaign when an employee who works as a talent search lead at a customer in the engineering sector downloaded a fake resume from a purported job applicant for a sales engineer position. The downloaded file executed a malicious .lnk file that resulted in a more_eggs infection.

Related:Linux Ransomware Threats: How Attackers Target Linux Systems

Continue Reading This Article on Dark Reading