September 11, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
APT Group Gamaredon aka Shuckworm – Active IOCs
October 4, 2024
Multiple Apple macOS Products Vulnerabilities
October 4, 2024
APT Group Gamaredon aka Shuckworm – Active IOCs
October 4, 2024
Multiple Apple macOS Products Vulnerabilities
October 4, 2024
Severity
High
Analysis Summary
A spear-phishing email campaign has been spotted targeting recruiters with a JavaScript backdoor dubbed More_eggs, showing continuing efforts to single out the industry under the guise of bogus job applications.
A recruitment officer was deceived by a sophisticated spear-phishing bait into downloading and running a malicious file that appeared to be a résumé, which opened the door for a More_eggs backdoor infection. Malicious software that is marketed as malware-as-a-service (MaaS) called More_eggs can steal passwords, including those linked to email accounts, IT administrator accounts, and online bank accounts.
It is linked to a threat actor known as the Golden Chickens group (also known as Venom Spider), and many other e-crime groups, including Cobalt, Evilnum, and FIN6 (also known as ITG08), have used it. Details of a related attack that uses LinkedIn as a distribution channel for fake resumes housed on an attacker-controlled website were made public by researchers earlier in June. The files are Windows shortcut (LNK) files that start the infection sequence when they are opened.
The most recent research shows a little divergence from the previously noted pattern in that the threat actors most likely sent a spear-phishing email to win their confidence and establish trust. The attack, which was detected in late August 2024, was directed towards a lead in talent search for the engineering industry. Not long later, a hiring manager used Google Chrome to download a purported resume “John Cboins.zip”. The source of the URL accessed by this user remains unknown. Nonetheless, it was evident from the actions of both users that they were trying to find an inside sales engineer.
A "Download CV" button on the aforementioned URL lures the victim into downloading a ZIP archive file that contains the LNK file. It's important to note that an identical website with a button that downloads the LNK file directly is part of the attack chain that was previously reported. A malicious DLL is launched upon double-clicking the LNK file, causing obfuscated commands to be executed. This malicious DLL then drops the More_eggs backdoor through a launcher.
Before beginning its operations, More_eggs first verifies if it is operating with administrator or user access. Then, it issues several commands to carry out host reconnaissance. After that, it sends out a beacon to a command-and-control (C2) server to obtain and run more malware payloads. As part of the infection process, PowerShell and Visual Basic Script (VBS) components are used in another iteration of the campaign that researchers reported.
The nature of MaaS makes it difficult to attribute these attacks because it permits the outsourcing of different attack components and infrastructure. Because different groups can use the same toolkits and infrastructure made available by services like Golden Chickens', it becomes impossible to identify individual threat actors. However, based on the tactics, techniques, and procedures (TTPs) used, the researchers stated that it is probable that FIN6 was behind the attack.
Impact
- Credential Theft
- Financial Loss
- Command Execution
Indicators of Compromise
URL
- https://1212055764.johncboins.com/some/036e91fc8cc899cc20f7e011fa6a0861/sbosf
- http://36hbhv.johncboins.com/fjkabrhhg
- https://webmail.raysilkman.com/
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Never trust or open links and attachments received from unknown sources/senders.
- Implement multi-factor authentication to add an extra layer of security to login processes.
- Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
- Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
- Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
- Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
- Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
- Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
- Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
- Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.