October 1, 2024 at 01:24PM
A threat group targeting multinational financial organizations impersonates job seekers to execute a spear-phishing campaign spreading the “more_eggs” backdoor. Trend Micro researchers linked this campaign to FIN6 and cautioned that the malware’s MaaS nature blurs threat actor lines. Vigilance and robust security measures are needed to combat this evolving threat.
From the meeting notes, it is clear that there has been an active threat group targeting multinational financial organizations by impersonating job seekers to target talent recruiters. This group is using a spear-phishing campaign that spreads the “more_eggs” backdoor capable of executing secondary malware payloads.
Researchers from Trend Micro have identified this campaign as likely the work of FIN6, a known threat actor using the backdoor to target their victims. However, the nature of the malware being part of an MaaS package makes precise attribution difficult.
Trend Micro identified the campaign when an employee downloaded a fake resume from a purported job applicant for a sales engineer position, resulting in a more_eggs infection. The threat actors have shifted tactics from posing as recruitment officers to now masquerading as fake job applicants, using advanced social engineering techniques to deceive unsuspecting recruiters.
It is emphasized that traditional anti-malware solutions should detect and eliminate an infection by more_eggs, but factors such as human fallibility and potential misconfigurations can pose a risk. Thus, organizations need to maintain continuous vigilance and implement robust threat detection measures.
Trend Micro has also shared various indicators of compromise related to the campaigns, which can be used by organizations with managed detection and response systems to set up custom filters and models tailored to detect the specific threat and automate response to an alert.