October 2, 2024 at 11:27AM
A recent spear-phishing email campaign targeted recruiters using the More_eggs JavaScript backdoor, with actors posing as fake job applicants to infect systems. The malware, attributed to the Golden Chickens group, enables credential theft and has been linked to several e-crime groups. Trend Micro observed a variation of the campaign utilizing PowerShell and VBS components.
From the meeting notes on Cybercrime/Threat Intelligence dated October 2, 2024, the main points of discussion are as follows:
– A spear-phishing email campaign has been identified, targeting recruiters with a JavaScript backdoor named More_eggs, which is being utilized to single out the sector under the pretense of fake job applicant lures.
– More_eggs, described as a malware-as-a-service, has the potential to extract credentials related to online bank accounts, email accounts, and IT administrator accounts.
– The threat actor linked to More_eggs is the Golden Chickens group, also known as Venom Spider. This group has been associated with multiple e-crime groups such as FIN6, Cobalt, and Evilnum.
– Trend Micro’s recent findings signify a shift in the observed pattern, with the threat actors using spear-phishing emails to build trust and gain the confidence of their targets, as opposed to the prior methods.
– The attack was noted to have targeted a talent search lead working in the engineering sector, where a recruitment officer downloaded a supposed resume, leading to the infection sequence.
– The attack chain also employs PowerShell and Visual Basic Script components as part of the infection process.
– The nature of More_eggs makes it challenging to attribute these attacks to specific threat actors due to the outsourcing of various attack components and infrastructure. However, it is suspected that the attack could have been the work of FIN6, citing the tactics, techniques, and procedures employed.
– The meeting notes concluded with a mention of PackXOR, a private packer used by the FIN7 cybercrime group, and its potential connection to unrelated payloads like the XMRig cryptocurrency miner and the r77 rootkit.
For further exclusive content, readers are encouraged to follow the organization on their Twitter and LinkedIn accounts.